Overview

overview

10

Static

static

1

awb_post_d...50.bat

windows7-x64

8

awb_post_d...50.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06032025_1547_awb_post_dhl_delivery_documents_06_03_2025_00000000000250.bat.zip

  • Size

    34KB

  • Sample

    250306-tfa9basq16

  • MD5

    30372fa1d1b2863d668410ac9748700a

  • SHA1

    9ccb08a590a1d76dceb5fc06eb29e37bbbe9f7a1

  • SHA256

    03d52942b9129557104e5e3bbbf581e914edc984eca17e28a52bf581846dc176

  • SHA512

    27e786b4b502b302570763cca3ef2912fa2672a232179426cc9d280a9fa0867956c350dabd45afdbaa25ae173cb12c1d29c7d0ddb9caf4707bd1e27523223183

  • SSDEEP

    768:FX1OJyuQYdOvt/L1CA+N5uHWHmebmnABtZJ5IYz/eo7PL5RddyCmaaA/nN3BHJ:l1OJyZVIHr8nnABT3IseW+5MNxp

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      awb_post_dhl_delivery_documents_06_03_2025_00000000000250.bat

    • Size

      64KB

    • MD5

      fef11d117754e450b937fd134f9dba13

    • SHA1

      1024f7c99c81e39f0f53710d24e06ddea52082ad

    • SHA256

      999ec6f3dd5816786295500cd790941727bdaccb9640becf284938bda7cd73a9

    • SHA512

      db20ef27451bb79a9f21b9213e29e9ee40326c8b8dc28ba824a3aad3d901481ab18acd49d77ee0a2d68799853db5ed1ac9e76e8515070ee83632181a141a0bc4

    • SSDEEP

      1536:8nDChFG71EIZWgZkbmEKUgXEXzICKUnFT3mKHWCW7zxk7Qvc5MCzAlZt:DHft3mK2Cuzv/H

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks