xworm | ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e | Triage

Sharing

General

Target

ssssss.bat
Size

293KB
Sample

241109-v1q1yaxqay
MD5

55045f48b34f00088c49b229bc07c30e
SHA1

f875cce5c12e06899b39223e040cad9f46ada1cd
SHA256

ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e
SHA512

549512c75fc5089cb7d4b41e3b55dde60ae253232f4ea7aed25296ebe6f16e6cc5d9fac8284240d23e060a6770514473eb29a81d5a6041ea43bf6d28f163ee7d
SSDEEP

3072:YIeH8waTPggAXw95luaeejSSb6wM7wXgfYM8J2Q3nfWvSYD5y6wHh9+nxMKi1/TM:gHbWAXnevGR6f2QvFIyD9+K/TvXum6

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

149.40.62.55:60447

Attributes

Install_directory
%AppData%
install_file
System User.exe

Targets

- Target
  
  ssssss.bat
- Size
  
  293KB
- MD5
  
  55045f48b34f00088c49b229bc07c30e
- SHA1
  
  f875cce5c12e06899b39223e040cad9f46ada1cd
- SHA256
  
  ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e
- SHA512
  
  549512c75fc5089cb7d4b41e3b55dde60ae253232f4ea7aed25296ebe6f16e6cc5d9fac8284240d23e060a6770514473eb29a81d5a6041ea43bf6d28f163ee7d
- SSDEEP
  
  3072:YIeH8waTPggAXw95luaeejSSb6wM7wXgfYM8J2Q3nfWvSYD5y6wHh9+nxMKi1/TM:gHbWAXnevGR6f2QvFIyD9+K/TvXum6
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan