xworm | b228c2b8531490ef11cf6641993b32cdb1b05c5d77638356ba1dd1908e76dfa1 | Triage

Sharing

General

Target

03032025_1235_awb_post_dhl_delivery_documents_03_03_2025_0000000000.bat.zip
Size

34KB
Sample

250303-psfmcaxygs
MD5

cb9f9ab904b1596e3e93e75956b8d6c5
SHA1

b333734254577fa228294a2e62d0796cfd52dd1e
SHA256

b228c2b8531490ef11cf6641993b32cdb1b05c5d77638356ba1dd1908e76dfa1
SHA512

874386f3ac00e78e8682b1f6f9f5d3a8d96ac495e725b220659f896705e2dc979c7cb5a30f9412d4af0e00858c89b0283cc6c34ea86141cd81ad38110cec6d11
SSDEEP

768:jC9zj3rqcr+iOAqH9hAyfZyV5vuh5H5z7U0KMUK11tJNQ:4fqcrwAqHTb85Wh5HhU05T1tJS

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

Lgqsm4XWzB9LrFCO

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  awb_post_dhl_delivery_documents_03_03_2025_0000000000.bat
- Size
  
  64KB
- MD5
  
  c9e1c4149f24616a23b6849386c8a045
- SHA1
  
  5a37e61994c77777c7bb6953eed8d336ad67645c
- SHA256
  
  e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921
- SHA512
  
  52b92498d60e90d4f86751c8a682c80aa2cbacfab808f0c85d289491c8754d6e16649c750cd6e79024ef7052fc11a968efc23e2ace86ebe3aa8dc04c44f957dc
- SSDEEP
  
  1536:FmZkbmEKUgXEXzICKUnFevg9GPlv4hULBsbVnHk/bGvSHe5BNR:F3Hf0IkqbtHk/bGg83R
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan