xworm | c553ea7bee293443389de689b7643bae072e370db4521944c022257f7e9fb78f | Triage

Sharing

Copy URL Twitter E-mail

General

Target

unbannerfix.bat
Size

265KB
Sample

241201-23h7fa1pgm
MD5

391260b818f3c5780d26aa1e41f69bc7
SHA1

9b625055614c523afb214673ff0a0e190b69225c
SHA256

c553ea7bee293443389de689b7643bae072e370db4521944c022257f7e9fb78f
SHA512

1556565690195b330f1ebf58203a1fa7179b558a11fc5f72200fc9a233939115ea0eafd90b4c084a1a8468b3cfa1f8c1f9efac4fbbf044434433ee4a21b0a24f
SSDEEP

6144:NKz1+0JywFQIhXhX1jB7MQT0BV7BpaE8q4:G80JdFQ65v7MQT+Hpfl4

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:14839

Mutex

oEx5hq0hP6cJqiWc

Attributes

Install_directory
%AppData%
install_file
System32.exe

aes.plain

Targets

- Target
  
  unbannerfix.bat
- Size
  
  265KB
- MD5
  
  391260b818f3c5780d26aa1e41f69bc7
- SHA1
  
  9b625055614c523afb214673ff0a0e190b69225c
- SHA256
  
  c553ea7bee293443389de689b7643bae072e370db4521944c022257f7e9fb78f
- SHA512
  
  1556565690195b330f1ebf58203a1fa7179b558a11fc5f72200fc9a233939115ea0eafd90b4c084a1a8468b3cfa1f8c1f9efac4fbbf044434433ee4a21b0a24f
- SSDEEP
  
  6144:NKz1+0JywFQIhXhX1jB7MQT0BV7BpaE8q4:G80JdFQ65v7MQT+Hpfl4
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan