xworm | 53f2e070b61e8a329b7b53d1615c3c75338aea7fe826918ce07237210ce37f53 | Triage

Sharing

General

Target

53f2e070b61e8a329b7b53d1615c3c75338aea7fe826918ce07237210ce37f53
Size

34KB
Sample

250228-tm77ma1vbt
MD5

fae7e42901c6f4610f200f810e3b9682
SHA1

faa5f77fd3e85aa3448966b35e3c258339f78c21
SHA256

53f2e070b61e8a329b7b53d1615c3c75338aea7fe826918ce07237210ce37f53
SHA512

b1c98673aa967e2c43206a512ae9c1c24ed52c8a87eb2974b118adfafd57cd04605cf7aefda77e9e2692e452f4f67fd0e90ba740042ef85944bf46d2c503fe95
SSDEEP

768:6wEjmnzgDJdYohMSg+FYTbXZryWsuEjyGV89y+XBWAfHZ:FESzgDJdf9FYdy1G2J+QAPZ

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expresswealthz.duckdns.org:3911

Mutex

KmNubOoGsw3EMIcM

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Electonic-Tracking_document_.pdf.bat
- Size
  
  64KB
- MD5
  
  462294b19375b265a9a912046e9c332f
- SHA1
  
  cda76d3e16a4981079254193ec1afc4041f06e0b
- SHA256
  
  080caa16fb7cf79c83f649022e79ca9db8160f1678c17f5832219c0a38be3e33
- SHA512
  
  8ef1f9f32e9f65f51914d3c605d72646910865488faf5bf4ea4e236f649fb21dbbdc1f172889560e6af4c8bfe89afc88225418fe57f5d7de872bda7218fda3a7
- SSDEEP
  
  1536:cV/qLMkewGW080dm+qxR2zFnaMvv6ZkbmEKUgXEXzICKUnFi:cV/qLM6Z0ldCxiFnvDHfs
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan