Overview

overview

10

Static

static

1

DISK WOOF.bat

windows7-x64

8

DISK WOOF.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DISK WOOF.bat

  • Size

    293KB

  • Sample

    250126-gawa3stlat

  • MD5

    bff3ba161e02cc0978e9c03f9260bb0f

  • SHA1

    e21f8195770e99123e78f58fea37391fb87e60d3

  • SHA256

    ac61e90dbcbac2af4b225a840f4beb1d5f34ad49955f02fd4d8a96469f87e5b5

  • SHA512

    69b1e86a937bd2dc8943958d19af1c72f01e650e73fe0d1d5d01c7fbe5da525df0789968b1ec19a0337b4afc8491d52d314e171942af252b9110b02b31bc9070

  • SSDEEP

    6144:6vP83Z7z/IiptJe0HrsOl3eC9P8/5w3s+bABtoqi77eXh:K83Z7z93rzl3eYP5UB+77eXh

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      DISK WOOF.bat

    • Size

      293KB

    • MD5

      bff3ba161e02cc0978e9c03f9260bb0f

    • SHA1

      e21f8195770e99123e78f58fea37391fb87e60d3

    • SHA256

      ac61e90dbcbac2af4b225a840f4beb1d5f34ad49955f02fd4d8a96469f87e5b5

    • SHA512

      69b1e86a937bd2dc8943958d19af1c72f01e650e73fe0d1d5d01c7fbe5da525df0789968b1ec19a0337b4afc8491d52d314e171942af252b9110b02b31bc9070

    • SSDEEP

      6144:6vP83Z7z/IiptJe0HrsOl3eC9P8/5w3s+bABtoqi77eXh:K83Z7z93rzl3eYP5UB+77eXh

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks