xworm | 2b376fc26c056e80151240114b9775ca057083dc838c15f586bf2857c9affda8 | Triage

Sharing

General

Target

2b376fc26c056e80151240114b9775ca057083dc838c15f586bf2857c9affda8.bat
Size

64KB
Sample

250302-cnr4cs1mw2
MD5

c24ad5f86f3789fe871d0bd328838f9a
SHA1

fcdf8088406fa2b07e93c02058aa13398c065e02
SHA256

2b376fc26c056e80151240114b9775ca057083dc838c15f586bf2857c9affda8
SHA512

c5a4106048010617319175c0097f9cd1ea1f6198c0fac1590808cca198709adbe0619c0ba14fe55a56f0257f967d5cdeae8cb719472d24d860f6076aed11e88e
SSDEEP

1536:vSWGfd3nZkbmEKUgXEXzICKUnFrcACGUrv4fuipRcLS+/a+gjgYWjT:vP4YHfBXUzGV2G9CT

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expresswealthz.duckdns.org:3911

Mutex

VeNg3bHq9tIgwrK7

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  2b376fc26c056e80151240114b9775ca057083dc838c15f586bf2857c9affda8.bat
- Size
  
  64KB
- MD5
  
  c24ad5f86f3789fe871d0bd328838f9a
- SHA1
  
  fcdf8088406fa2b07e93c02058aa13398c065e02
- SHA256
  
  2b376fc26c056e80151240114b9775ca057083dc838c15f586bf2857c9affda8
- SHA512
  
  c5a4106048010617319175c0097f9cd1ea1f6198c0fac1590808cca198709adbe0619c0ba14fe55a56f0257f967d5cdeae8cb719472d24d860f6076aed11e88e
- SSDEEP
  
  1536:vSWGfd3nZkbmEKUgXEXzICKUnFrcACGUrv4fuipRcLS+/a+gjgYWjT:vP4YHfBXUzGV2G9CT
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan