Overview

overview

10

Static

static

10

ccc270754c...41.ps1

windows7-x64

8

ccc270754c...41.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141.ps1

  • Size

    779B

  • Sample

    250305-d96djsxxdx

  • MD5

    209a0dcfb7e176365dc8f9a00dec716a

  • SHA1

    aac44bda989e764f25277e7ed2b6680c781d704e

  • SHA256

    ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141

  • SHA512

    354491ae39042832f2b419a85ffbb45e1159a35aa124cfb61c3ec47ba70da176f4bffe1a089f4dfa55ee3f76525cc6f1a204a84b153d44eb143ea6a6780f687b

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://92.255.57.221/yr.exe

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

aes.plain

Targets

    • Target

      ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141.ps1

    • Size

      779B

    • MD5

      209a0dcfb7e176365dc8f9a00dec716a

    • SHA1

      aac44bda989e764f25277e7ed2b6680c781d704e

    • SHA256

      ccc270754c9759f623d9ec2f08ca17d960290e60f6c332f0682c9dc6c02d1141

    • SHA512

      354491ae39042832f2b419a85ffbb45e1159a35aa124cfb61c3ec47ba70da176f4bffe1a089f4dfa55ee3f76525cc6f1a204a84b153d44eb143ea6a6780f687b

    Score
    10/10
    executionxwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks