xworm | 87913ff2c6fabe85812bbc7691a8773cb4842557699151d63fe492f2420fc567 | Triage

Submit
Reports

Overview

overview

Static

static

1

wB30XU8F.bat

windows7-x64

8

wB30XU8F.bat

windows10-2004-x64

Sharing

General

Target

wB30XU8F.bat
Size

12KB
Sample

250302-xntmea1yes
MD5

9db325d6143da09edc4e1fe41b152e71
SHA1

cfc1af0130d50fb88d173ebcecaa3f0b16e1f1d4
SHA256

87913ff2c6fabe85812bbc7691a8773cb4842557699151d63fe492f2420fc567
SHA512

3a49d024aca27d1044b9874b1726354a4c002965be3b890a74024ae9a6196ec31df4a8854d1c058c70b6ccd98b0a8b127c323ff0e2dd9d714321ddd362bc0001
SSDEEP

384:CKvwJK8ve177XuvkHs8U06Z+a/PXA3P4uxc7Q7/WlAnY1e++ptdy:TwU1nXFs8UF+aQuQYOceZjy

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

wB30XU8F.bat

Resource

win7-20240903-en

defense_evasion discovery execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

wB30XU8F.bat

Resource

win10v2004-20250217-en

xworm defense_evasion discovery execution rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

county-ideal.gl.at.ply.gg:36716

Attributes

Install_directory
%AppData%
install_file
SystemUser.exe

Targets

- Target
  
  wB30XU8F.bat
- Size
  
  12KB
- MD5
  
  9db325d6143da09edc4e1fe41b152e71
- SHA1
  
  cfc1af0130d50fb88d173ebcecaa3f0b16e1f1d4
- SHA256
  
  87913ff2c6fabe85812bbc7691a8773cb4842557699151d63fe492f2420fc567
- SHA512
  
  3a49d024aca27d1044b9874b1726354a4c002965be3b890a74024ae9a6196ec31df4a8854d1c058c70b6ccd98b0a8b127c323ff0e2dd9d714321ddd362bc0001
- SSDEEP
  
  384:CKvwJK8ve177XuvkHs8U06Z+a/PXA3P4uxc7Q7/WlAnY1e++ptdy:TwU1nXFs8UF+aQuQYOceZjy
Score

10^/10

defense_evasion discovery execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Ignore Process Interrupts

Modify Registry

Credential Access

Discovery

Process Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy