Overview

overview

10

Static

static

1

fb4ce39528...d4.bat

windows7-x64

8

fb4ce39528...d4.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4.bat

  • Size

    809B

  • Sample

    250304-ee5dfazlx7

  • MD5

    da0c105256eccbca5772fb173b5a313f

  • SHA1

    db0583cd2282aec4f414763cf22d677ec7073f76

  • SHA256

    fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4

  • SHA512

    ea2b97998c20ed28f874b83bd15fccfd82dc34a6655988d121c833e5c0352cb4d23c4be1312c0a6863d3629a7d8957de2560fc9be42dfe22c375f937ccee894d

Score
10/10
xwormdefense_evasionexecutionprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

fEkivyZANGvej5MK

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4.bat

    • Size

      809B

    • MD5

      da0c105256eccbca5772fb173b5a313f

    • SHA1

      db0583cd2282aec4f414763cf22d677ec7073f76

    • SHA256

      fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4

    • SHA512

      ea2b97998c20ed28f874b83bd15fccfd82dc34a6655988d121c833e5c0352cb4d23c4be1312c0a6863d3629a7d8957de2560fc9be42dfe22c375f937ccee894d

    Score
    10/10
    defense_evasionexecutionprivilege_escalationxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks