Overview

overview

10

Static

static

1

Original_B...f_.bat

windows7-x64

8

Original_B...f_.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03032025_1519_Original_BL_Shipping_Documents.pdf_.bat.zip

  • Size

    34KB

  • Sample

    250303-sp2bes1m19

  • MD5

    a105f14c80eaad812d70deb5ae8221f7

  • SHA1

    6f96407b20c8fddc4b1f56b897f6d4287113fe24

  • SHA256

    feada76fd75410d24b52dd6b9dede5ad0d1357f69b1c94d29645205793630dd8

  • SHA512

    a2cd85c4e135e0030e4bef7efc87ce28dab2df9e71e5720558bb417fd9244563793ada95d8b793cdf6291ad6edea099900c2c146de8ca436882fab28dbe0ea01

  • SSDEEP

    768:vuD4m6o9t7J53cyE/cYUH5zaIGWUu6GWEqIQPDw1XSIDT:vm6o9tdVcyEbUH53GW5WUAsnn

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expresswealthz.duckdns.org:3911

Mutex

RzkxMatWHp9NDD4H

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Original_BL_Shipping_Documents.pdf_.bat

    • Size

      64KB

    • MD5

      c784b6876259c872711eaf78807e5756

    • SHA1

      ef62eccd9a17ade1eaa1b9f17965809e61e1dc06

    • SHA256

      1bccd23f3c83974f8fb8066bf4ceb6b2faa165af846401080bf2cdccd1ef79da

    • SHA512

      4a81baecf18a5c02a1a8058615ddda804c9c52e38853392530207d3c823e1c8cca55ee4976056abce72f06cf4b433c2ed18522e805e536a8aab1a4693c54f26f

    • SSDEEP

      1536:6im/0y4lWcfZP+UtLdxgNp2VnVCiJZkbmEKUgXEXzICKUnFN:6NszDfZ2UCGnVCiIHfj

    Score
    10/10
    discoveryexecutionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks