xworm | d7749105cc48b5b05dedd66821841b2ba26fd810b3218ca1da9e77bc7102024a | Triage

Sharing

General

Target

d7749105cc48b5b05dedd66821841b2ba26fd810b3218ca1da9e77bc7102024a.bat
Size

6KB
Sample

250228-efbgra1my5
MD5

0d6264ae6ff078d8848029e3c50f2a2d
SHA1

5417957ec62a29eff4dfab7582dc9a1e57a7b006
SHA256

d7749105cc48b5b05dedd66821841b2ba26fd810b3218ca1da9e77bc7102024a
SHA512

6cabfe4d712a7f7853084b2510438526f985d996224a190954ccf82e629987f8dd11fa3f057a9bf9fe0f74638a03d86a77d8a23eade7c7c518ab019311470eae
SSDEEP

192:sH2tPgSyFwTvE8dE9ogpVBmRGOCaNQMKvqFaS733y/UmQC:tPdWwTTy7eClvzS+/tQC

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.167.61.3:2025

Mutex

iZeDVst50egSZKSj

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  d7749105cc48b5b05dedd66821841b2ba26fd810b3218ca1da9e77bc7102024a.bat
- Size
  
  6KB
- MD5
  
  0d6264ae6ff078d8848029e3c50f2a2d
- SHA1
  
  5417957ec62a29eff4dfab7582dc9a1e57a7b006
- SHA256
  
  d7749105cc48b5b05dedd66821841b2ba26fd810b3218ca1da9e77bc7102024a
- SHA512
  
  6cabfe4d712a7f7853084b2510438526f985d996224a190954ccf82e629987f8dd11fa3f057a9bf9fe0f74638a03d86a77d8a23eade7c7c518ab019311470eae
- SSDEEP
  
  192:sH2tPgSyFwTvE8dE9ogpVBmRGOCaNQMKvqFaS733y/UmQC:tPdWwTTy7eClvzS+/tQC
Score

10^/10

execution xworm discovery persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionpersistencerattrojan