xworm | a36ff1329f3821aa66247526acf957a0708ce2df96cd61ee52c6513f1742905c | Triage

Sharing

General

Target

awb_post_dhl_delivery_documents_05_03_2025_00000000000250.7z.zip
Size

34KB
Sample

250305-q3lrsazwbw
MD5

f95fc1276e3dfec7862d35bec284b761
SHA1

39a0598570c82a824efd70a834e76d643b957aeb
SHA256

a36ff1329f3821aa66247526acf957a0708ce2df96cd61ee52c6513f1742905c
SHA512

4fec6c14f4971c0622e9a86e016c59ccf88f7f0e19b3ab40c2ae21298ebee5e0f0feeccf51fc1a06966c970790c5e9c5bd38797a3794656527ed262034b29120
SSDEEP

768:Ue3udlG57U7Z2sN7OQXuB3nMkOdxhNal0/Dh8s+90/OzaOjURkXGIRiqKvF:h3uCohJOP3nedxZ18J0/OW22IRiNN

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  awb_post_dhl_delivery_documents_05_03_2025_00000000000250.bat
- Size
  
  64KB
- MD5
  
  cf57d5eb699a380c9c16a80380ba4430
- SHA1
  
  f619f0e136046b263597254cac874843669b6f5d
- SHA256
  
  71dfb99a8659fc7f33fb09bda152cc14aa4d42266c3691b61045a7083eaca8d6
- SHA512
  
  f2d558bc38a0863e442d362416700a0e678a8c9d8e9c9fb6d9e6123e8b8f3e6bde740cb51e432396577609b01c0783fcb7a748cc60fd097823ae4241dcada51f
- SSDEEP
  
  1536:UM8QNuOVNv9V/AoMwQ0l/ds8RtZkbmEKUgXEXzICKUnFWvjpi:UMnTVNVVqJU/dUHfKjpi
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan