xworm | 743db9757f94a7f6f6e80e01ae725daff09b56397f3c60a423da44104fa56cea | Triage

Sharing

General

Target

743db9757f94a7f6f6e80e01ae725daff09b56397f3c60a423da44104fa56cea.bat
Size

64KB
Sample

250305-dfenqswxh1
MD5

85895b178c1ab401353c71c150f01950
SHA1

f23aa3e21be2026a20cde84aac495eedbbc8ba5f
SHA256

743db9757f94a7f6f6e80e01ae725daff09b56397f3c60a423da44104fa56cea
SHA512

a6e1f8404c245f42285a2dc668b36ce041f9df2641707a715257e1c42694bb57f86c3cd4ba554e3264b6aa6c8046f683fd350e9b9c65a31ed58924f972afe50b
SSDEEP

1536:MVpdfg39TAXKl/yi4830S1BZkbmEKUgXEXzICKUnFPyREf:u49Mal/Ln0S1QHf9yREf

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

Lgqsm4XWzB9LrFCO

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  743db9757f94a7f6f6e80e01ae725daff09b56397f3c60a423da44104fa56cea.bat
- Size
  
  64KB
- MD5
  
  85895b178c1ab401353c71c150f01950
- SHA1
  
  f23aa3e21be2026a20cde84aac495eedbbc8ba5f
- SHA256
  
  743db9757f94a7f6f6e80e01ae725daff09b56397f3c60a423da44104fa56cea
- SHA512
  
  a6e1f8404c245f42285a2dc668b36ce041f9df2641707a715257e1c42694bb57f86c3cd4ba554e3264b6aa6c8046f683fd350e9b9c65a31ed58924f972afe50b
- SSDEEP
  
  1536:MVpdfg39TAXKl/yi4830S1BZkbmEKUgXEXzICKUnFPyREf:u49Mal/Ln0S1QHf9yREf
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan