xworm | 60ddaf8d345c4fab6658466b51ceb48e63bf3d04fb76353ed18e42c069138ad7 | Triage

Submit
Reports

Overview

overview

Static

static

1

skibidi toilet.bat

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

skibidi toilet.bat
Size

405KB
Sample

241202-c2hf3svmhy
MD5

5c9e99bce6940302fcd272f3f2ee4fbb
SHA1

b09e0e78ce4af3c4e0ef0e769ecb3417188d3f55
SHA256

60ddaf8d345c4fab6658466b51ceb48e63bf3d04fb76353ed18e42c069138ad7
SHA512

34e4e588497e886daf4531ef98702285a65e80a4b79752c9ca9eb57cf342ad19e594b1f579f197e8320c9a5a84f0888b053a1a4c01907e3ffd6688ab06bd9586
SSDEEP

6144:+z0aix6BLxnTI513uNOp/OOUkzGYvZBrRAIOP85qEon6CKjQHdm7mpktiPrcr9pK:ixlE51esp/DdZkI68VUPKcHUikwi9pK

Score

10^/10

xworm defense_evasion execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

skibidi toilet.bat

Resource

win10v2004-20241007-en

xworm defense_evasion execution rat trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

194.59.30.229:7000

Attributes

install_file
USB.exe

Targets

- Target
  
  skibidi toilet.bat
- Size
  
  405KB
- MD5
  
  5c9e99bce6940302fcd272f3f2ee4fbb
- SHA1
  
  b09e0e78ce4af3c4e0ef0e769ecb3417188d3f55
- SHA256
  
  60ddaf8d345c4fab6658466b51ceb48e63bf3d04fb76353ed18e42c069138ad7
- SHA512
  
  34e4e588497e886daf4531ef98702285a65e80a4b79752c9ca9eb57cf342ad19e594b1f579f197e8320c9a5a84f0888b053a1a4c01907e3ffd6688ab06bd9586
- SSDEEP
  
  6144:+z0aix6BLxnTI513uNOp/OOUkzGYvZBrRAIOP85qEon6CKjQHdm7mpktiPrcr9pK:ixlE51esp/DdZkI68VUPKcHUikwi9pK
Score

10^/10

xworm defense_evasion execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionrattrojan

© 2018-2025

Terms | Privacy