xworm | e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921 | Triage

Sharing

General

Target

e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921.bat
Size

64KB
Sample

250305-ehqpfsykv2
MD5

c9e1c4149f24616a23b6849386c8a045
SHA1

5a37e61994c77777c7bb6953eed8d336ad67645c
SHA256

e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921
SHA512

52b92498d60e90d4f86751c8a682c80aa2cbacfab808f0c85d289491c8754d6e16649c750cd6e79024ef7052fc11a968efc23e2ace86ebe3aa8dc04c44f957dc
SSDEEP

1536:FmZkbmEKUgXEXzICKUnFevg9GPlv4hULBsbVnHk/bGvSHe5BNR:F3Hf0IkqbtHk/bGg83R

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

Lgqsm4XWzB9LrFCO

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921.bat
- Size
  
  64KB
- MD5
  
  c9e1c4149f24616a23b6849386c8a045
- SHA1
  
  5a37e61994c77777c7bb6953eed8d336ad67645c
- SHA256
  
  e2e4a15190051f6a87bb10eab12b12744580d7d69b56c2c38a278865f10c2921
- SHA512
  
  52b92498d60e90d4f86751c8a682c80aa2cbacfab808f0c85d289491c8754d6e16649c750cd6e79024ef7052fc11a968efc23e2ace86ebe3aa8dc04c44f957dc
- SSDEEP
  
  1536:FmZkbmEKUgXEXzICKUnFevg9GPlv4hULBsbVnHk/bGvSHe5BNR:F3Hf0IkqbtHk/bGg83R
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan