xworm | fbb07a7f02f9957564b487f7a893751f3059ae53dbcd0bdf5f176ca7be69096b | Triage

Sharing

General

Target

Shipping_Documents.pdf_.bat
Size

64KB
Sample

250303-h2ryea1rs5
MD5

eac68a6120674bd90a20752d09d126e8
SHA1

9f73c48c6a5d177b67ca3f984caca601d6540427
SHA256

fbb07a7f02f9957564b487f7a893751f3059ae53dbcd0bdf5f176ca7be69096b
SHA512

f3240d2ecf309a5b1db1566b9fbff5ee7c946a26ff441327cbebb0ce1f3089e0a02934c14f164d59e934c585132413af38e4b6b389577eb61e1e7f590cb23248
SSDEEP

1536:vOYBZkbmEKUgXEXzICKUnF85J6ygoASfj3Hlbjeq5d6d01jK:vZQHfe5J6JQbn5dl1jK

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expresswealthz.duckdns.org:3911

Mutex

RzkxMatWHp9NDD4H

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Shipping_Documents.pdf_.bat
- Size
  
  64KB
- MD5
  
  eac68a6120674bd90a20752d09d126e8
- SHA1
  
  9f73c48c6a5d177b67ca3f984caca601d6540427
- SHA256
  
  fbb07a7f02f9957564b487f7a893751f3059ae53dbcd0bdf5f176ca7be69096b
- SHA512
  
  f3240d2ecf309a5b1db1566b9fbff5ee7c946a26ff441327cbebb0ce1f3089e0a02934c14f164d59e934c585132413af38e4b6b389577eb61e1e7f590cb23248
- SSDEEP
  
  1536:vOYBZkbmEKUgXEXzICKUnF85J6ygoASfj3Hlbjeq5d6d01jK:vZQHfe5J6JQbn5dl1jK
Score

10^/10

discovery execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

xwormdiscoveryexecutionrattrojan