Overview

overview

10

Static

static

1

awb_post_d...50.bat

windows7-x64

8

awb_post_d...50.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a36ff1329f3821aa66247526acf957a0708ce2df96cd61ee52c6513f1742905c

  • Size

    34KB

  • Sample

    250305-pazbqsykv6

  • MD5

    f95fc1276e3dfec7862d35bec284b761

  • SHA1

    39a0598570c82a824efd70a834e76d643b957aeb

  • SHA256

    a36ff1329f3821aa66247526acf957a0708ce2df96cd61ee52c6513f1742905c

  • SHA512

    4fec6c14f4971c0622e9a86e016c59ccf88f7f0e19b3ab40c2ae21298ebee5e0f0feeccf51fc1a06966c970790c5e9c5bd38797a3794656527ed262034b29120

  • SSDEEP

    768:Ue3udlG57U7Z2sN7OQXuB3nMkOdxhNal0/Dh8s+90/OzaOjURkXGIRiqKvF:h3uCohJOP3nedxZ18J0/OW22IRiNN

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      awb_post_dhl_delivery_documents_05_03_2025_00000000000250.bat

    • Size

      64KB

    • MD5

      cf57d5eb699a380c9c16a80380ba4430

    • SHA1

      f619f0e136046b263597254cac874843669b6f5d

    • SHA256

      71dfb99a8659fc7f33fb09bda152cc14aa4d42266c3691b61045a7083eaca8d6

    • SHA512

      f2d558bc38a0863e442d362416700a0e678a8c9d8e9c9fb6d9e6123e8b8f3e6bde740cb51e432396577609b01c0783fcb7a748cc60fd097823ae4241dcada51f

    • SSDEEP

      1536:UM8QNuOVNv9V/AoMwQ0l/ds8RtZkbmEKUgXEXzICKUnFWvjpi:UMnTVNVVqJU/dUHfKjpi

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks