Overview

overview

10

Static

static

10

script.ps1

windows7-x64

3

script.ps1

windows10-2004-x64

10

Resubmissions

20-11-2024 13:23

241120-qmv1hsxmfv 10

20-11-2024 13:21

241120-qlqz6sxgpk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    script.ps1

  • Size

    1KB

  • Sample

    241120-qlqz6sxgpk

  • MD5

    44b6f4aa8768e9628adb4f50961a6be2

  • SHA1

    20964d7c8397c3a56821182fd6c1d426d2513fbe

  • SHA256

    c89a2ecf7b0776d2e7ee6974b11765a8e90e3ea4f903835053366954c4dbbe60

  • SHA512

    b69ce3f9f6fd0585936796862f51f309511400543285fc35eddcbec034612a511f84bbb8dac6f831ba44dea2dcd5a95e3ba483bf7fb4554b82192ccd36ebeccf

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://093-up-r.jotta.cloud/files/v1/dl/eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiemlwIjoiREVGIn0..6qIf4XOjfmGHJk4JenudYQ.jT47eezZSpCBBFPGFoX3b-xHtf_KH7qrFUZh87ymUK0N8qtSAJCDoW2gU1NKYgqTU1Am_4jALF-cjGu-fvYI1OB4TYQ5ikA1XuJw-hh7zTITvOqKPQxpPqGOLOAOUyOwuhGMZKXoZ9klCVN910uCmwqweYaP7HUSQpX5faC96h40K7WIg3LXP6VCH1PsoUb5ZBX6r0r0s6OCkxmqe28ks8TNc4n8jV8M7zMeQEeU67qqNGyIrA71KDuP8fbSB4Ll4O_vhIs7ed1cyGL6o4XWyA.valiZbtwoYqvQX8SiytyVQ?access_token=eyJraWQiOiJkZDBhMWIyOS02MjIyLTRmMWMtYjhkOS1jOTFiY2Q1OTRiMjkiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJhY2NvdW50Iiwic3ViIjoicF84ZWU0ZmM0YzA1MDc0ODZiYjVhMmU4ZTcyZDhhN2UiLCJzdCI6IkNpQndYemhsWlRSbVl6UmpNRFV3TnpRNE5tSmlOV0V5WlRobE56SmtPR0UzWlJJQ0NBRWFKUm9qTXpjeE9XRmxaV1V5WVdOaE1HRXhORFJsT1dJek9UVmhNemd4WW1Jd09ETmtNVFU9IiwiaXNzIjoiam90dGEiLCJ0eXAiOiJCZWFyZXIiLCJleHAiOjE3MzIxOTMzNjcsInVzZXJuYW1lIjoicF84ZWU0ZmM0YzA1MDc0ODZiYjVhMmU4ZTcyZDhhN2UifQ.DSrZyuj3rHbEqOyha75kVNlyJA477O8UOACaQC-QV8TzABgDcHLp0QVfJ90b_NHro7XDCJmy_XAZqxB1RiCUT_J6HjtQVuXPypjxaA0qWWXmTA0FehHq7Q2v9GFGT5nIwFvNuMMISw9oK3U1HAIOcS7P-3tqgkO4It9FoAWlCd9ODEVop9UF2_BXsrtzH1loLSKawSKbXPbIBBA9qzf4XsOR61pqWKKe4X3EnSy2M0ezhGRnKbJblgX-097_ecAKSDMwVGE_LmLuuezvhsyWWYKp3yw5Jxwix3oMkzfOmZ5pX4yo8-x5UQZ6kKFZ0Sx32nDQg5oCuP_DA4szUfSvqQ

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    Chrome.exe

  • pastebin_url

    https://pastebin.com/raw/H3wFXmEi

Targets

    • Target

      script.ps1

    • Size

      1KB

    • MD5

      44b6f4aa8768e9628adb4f50961a6be2

    • SHA1

      20964d7c8397c3a56821182fd6c1d426d2513fbe

    • SHA256

      c89a2ecf7b0776d2e7ee6974b11765a8e90e3ea4f903835053366954c4dbbe60

    • SHA512

      b69ce3f9f6fd0585936796862f51f309511400543285fc35eddcbec034612a511f84bbb8dac6f831ba44dea2dcd5a95e3ba483bf7fb4554b82192ccd36ebeccf

    Score
    10/10
    executionxwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks