xworm | 02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f | Triage

Sharing

General

Target

02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f.bat
Size

66KB
Sample

250306-cgrh9avwby
MD5

884179d856f1870b50ee3b0ca606ca8a
SHA1

12f60d3393ac5e5c93637c168cc678b05aec183a
SHA256

02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f
SHA512

ccac70be4a34a296010541496ada60763fcc460140956fb44d4051c84b2225109bb8fa68ee3d0ea4755d33ad39cba179883560bb7eae95b351dbc5204f39c50f
SSDEEP

1536:IjfS0G9/uMZf+dCwNsHbsFfKi2lkH0ZkbmEKUgXEXzICKUnFhGg:f9/uzdCwNs7wZ2GHZHfTGg

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remnew25.duckdns.org:3984

Mutex

XqNiNJ9BHQEGZDPh

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f.bat
- Size
  
  66KB
- MD5
  
  884179d856f1870b50ee3b0ca606ca8a
- SHA1
  
  12f60d3393ac5e5c93637c168cc678b05aec183a
- SHA256
  
  02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f
- SHA512
  
  ccac70be4a34a296010541496ada60763fcc460140956fb44d4051c84b2225109bb8fa68ee3d0ea4755d33ad39cba179883560bb7eae95b351dbc5204f39c50f
- SSDEEP
  
  1536:IjfS0G9/uMZf+dCwNsHbsFfKi2lkH0ZkbmEKUgXEXzICKUnFhGg:f9/uzdCwNs7wZ2GHZHfTGg
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan