xworm | 71dfb99a8659fc7f33fb09bda152cc14aa4d42266c3691b61045a7083eaca8d6 | Triage

Sharing

General

Target

awb_post_dhl_delivery_documents_05_03_2025_00000000000250.bat
Size

64KB
Sample

250305-m88a7aw1bv
MD5

cf57d5eb699a380c9c16a80380ba4430
SHA1

f619f0e136046b263597254cac874843669b6f5d
SHA256

71dfb99a8659fc7f33fb09bda152cc14aa4d42266c3691b61045a7083eaca8d6
SHA512

f2d558bc38a0863e442d362416700a0e678a8c9d8e9c9fb6d9e6123e8b8f3e6bde740cb51e432396577609b01c0783fcb7a748cc60fd097823ae4241dcada51f
SSDEEP

1536:UM8QNuOVNv9V/AoMwQ0l/ds8RtZkbmEKUgXEXzICKUnFWvjpi:UMnTVNVVqJU/dUHfKjpi

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  awb_post_dhl_delivery_documents_05_03_2025_00000000000250.bat
- Size
  
  64KB
- MD5
  
  cf57d5eb699a380c9c16a80380ba4430
- SHA1
  
  f619f0e136046b263597254cac874843669b6f5d
- SHA256
  
  71dfb99a8659fc7f33fb09bda152cc14aa4d42266c3691b61045a7083eaca8d6
- SHA512
  
  f2d558bc38a0863e442d362416700a0e678a8c9d8e9c9fb6d9e6123e8b8f3e6bde740cb51e432396577609b01c0783fcb7a748cc60fd097823ae4241dcada51f
- SSDEEP
  
  1536:UM8QNuOVNv9V/AoMwQ0l/ds8RtZkbmEKUgXEXzICKUnFWvjpi:UMnTVNVVqJU/dUHfKjpi
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan