Overview

overview

10

Static

static

1

aimbotfr stub.bat

windows7-x64

8

aimbotfr stub.bat

windows10-2004-x64

10

aimbotfr stub.bat

windows10-ltsc 2021-x64

10

aimbotfr stub.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aimbotfr stub.bat

  • Size

    478KB

  • Sample

    241114-tnbvtazrev

  • MD5

    09c4764995d1f2e96d0a228743f2425e

  • SHA1

    0a755c43e147141ec0e9d96d243765af66d1e8a0

  • SHA256

    c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

  • SHA512

    856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

  • SSDEEP

    6144:Y5uDX7kLnB9tGFQe+6YRAFcqLw7DT8ZUXtk9clnD:Yo8LB2FQh64AFcqLw7kZ+uInD

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      aimbotfr stub.bat

    • Size

      478KB

    • MD5

      09c4764995d1f2e96d0a228743f2425e

    • SHA1

      0a755c43e147141ec0e9d96d243765af66d1e8a0

    • SHA256

      c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

    • SHA512

      856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

    • SSDEEP

      6144:Y5uDX7kLnB9tGFQe+6YRAFcqLw7DT8ZUXtk9clnD:Yo8LB2FQh64AFcqLw7kZ+uInD

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks