xworm

General

Target

feada76fd75410d24b52dd6b9dede5ad0d1357f69b1c94d29645205793630dd8
Size

34KB
Sample

250303-rb5w1szlw5
MD5

a105f14c80eaad812d70deb5ae8221f7
SHA1

6f96407b20c8fddc4b1f56b897f6d4287113fe24
SHA256

feada76fd75410d24b52dd6b9dede5ad0d1357f69b1c94d29645205793630dd8
SHA512

a2cd85c4e135e0030e4bef7efc87ce28dab2df9e71e5720558bb417fd9244563793ada95d8b793cdf6291ad6edea099900c2c146de8ca436882fab28dbe0ea01
SSDEEP

768:vuD4m6o9t7J53cyE/cYUH5zaIGWUu6GWEqIQPDw1XSIDT:vm6o9tdVcyEbUH53GW5WUAsnn

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expresswealthz.duckdns.org:3911

Mutex

RzkxMatWHp9NDD4H

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Original_BL_Shipping_Documents.pdf_.bat
- Size
  
  64KB
- MD5
  
  c784b6876259c872711eaf78807e5756
- SHA1
  
  ef62eccd9a17ade1eaa1b9f17965809e61e1dc06
- SHA256
  
  1bccd23f3c83974f8fb8066bf4ceb6b2faa165af846401080bf2cdccd1ef79da
- SHA512
  
  4a81baecf18a5c02a1a8058615ddda804c9c52e38853392530207d3c823e1c8cca55ee4976056abce72f06cf4b433c2ed18522e805e536a8aab1a4693c54f26f
- SSDEEP
  
  1536:6im/0y4lWcfZP+UtLdxgNp2VnVCiJZkbmEKUgXEXzICKUnFN:6NszDfZ2UCGnVCiIHfj
Score

10^/10

discovery execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Drops startup file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2