xworm | 982aeaa82e848b3fa908569d594c3c683e010853aabf0b774cd017cd78f452f2 | Triage

Sharing

General

Target

BHmguu3.bat
Size

61KB
Sample

250304-vhfggsvygw
MD5

17593ee6efc7b77ce313f3ad23119366
SHA1

fb978403970c1022813e2a525b02c21e67bbfd47
SHA256

982aeaa82e848b3fa908569d594c3c683e010853aabf0b774cd017cd78f452f2
SHA512

ad64b462ae4b3dc3b97cc746fa4689c26020d9d7695f6741df08728dbaa207ca781e5cb9bf6457d5dbe726251c1be3ddac6720432f6d55d94644d8741bfdf85f
SSDEEP

1536:lBV+YMcw68L9UOCl0UV7foh8KbZkbmEKUgXEXzICKUnF7:lBV+YM8+9FUdohgHfB

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

196.251.73.165:4782

Mutex

EXQQh6mPrqgJAFJA

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  BHmguu3.bat
- Size
  
  61KB
- MD5
  
  17593ee6efc7b77ce313f3ad23119366
- SHA1
  
  fb978403970c1022813e2a525b02c21e67bbfd47
- SHA256
  
  982aeaa82e848b3fa908569d594c3c683e010853aabf0b774cd017cd78f452f2
- SHA512
  
  ad64b462ae4b3dc3b97cc746fa4689c26020d9d7695f6741df08728dbaa207ca781e5cb9bf6457d5dbe726251c1be3ddac6720432f6d55d94644d8741bfdf85f
- SSDEEP
  
  1536:lBV+YMcw68L9UOCl0UV7foh8KbZkbmEKUgXEXzICKUnF7:lBV+YM8+9FUdohgHfB
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan