Overview

overview

10

Static

static

1

OPTIMZERv11.bat

windows7-x64

8

OPTIMZERv11.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OPTIMZERv11.bat

  • Size

    261KB

  • Sample

    250122-wmj6xayqcr

  • MD5

    4d4e8d39c4cd1f32cd3e4b1864e6e5dd

  • SHA1

    a07908930a166abbbb1025cc61ea42405e244de7

  • SHA256

    17f4fdd88d05fccfec939b0783678bccef1592d7a95c3ab8b134dc0dc4762b7b

  • SHA512

    97d88a8e9689cdfd5747079ce77f1a23eb07f3df998975bd8aa5c198b43cc94d564ab83ddcef717599c2d0530ecf61e78e11236ce851757940340354010bd9ed

  • SSDEEP

    6144:3zlBsZB7WhOwyt/iSfecyYmZwlu7AaGz4Rx/Ch+4LG3:DluZB7WjS3m3E4x/ChbLG3

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.tcp.ngrok.io:20448

:20448
Mutex

Ur1UqQ96vApo0dqU

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      OPTIMZERv11.bat

    • Size

      261KB

    • MD5

      4d4e8d39c4cd1f32cd3e4b1864e6e5dd

    • SHA1

      a07908930a166abbbb1025cc61ea42405e244de7

    • SHA256

      17f4fdd88d05fccfec939b0783678bccef1592d7a95c3ab8b134dc0dc4762b7b

    • SHA512

      97d88a8e9689cdfd5747079ce77f1a23eb07f3df998975bd8aa5c198b43cc94d564ab83ddcef717599c2d0530ecf61e78e11236ce851757940340354010bd9ed

    • SSDEEP

      6144:3zlBsZB7WhOwyt/iSfecyYmZwlu7AaGz4Rx/Ch+4LG3:DluZB7WjS3m3E4x/ChbLG3

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks