xworm | 0c17eb3ab5d7fdff6fcde1fee32a4183ec0928aa7ae77a74b140a128ed671b84 | Triage

Sharing

General

Target

XClient_encrypted_obf_bat.bat
Size

540KB
Sample

250307-2hwxssyqv3
MD5

7691f0a3619e34794c2d9f8acd645e30
SHA1

666541b63a9f6b808765e45b1238a2935b3be7a8
SHA256

0c17eb3ab5d7fdff6fcde1fee32a4183ec0928aa7ae77a74b140a128ed671b84
SHA512

76750941a254405f4477f989315db2ba5507dc8a6bb6c1091b4f0510a884e637337d18d27910766b88ae1038a1dd36f2ecbddc504e8b6220522cc509fde9038e
SSDEEP

6144:qOaa4GFhnfN27m5lxsVjLLWHKTkrQk5zb9zRvphlQ0/vxiwEilMwDEh9HwOf6Lnr:QY7215Wbb9BXf7/BV7v

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

74.12.129.6:7000

Mutex

nPR0rvUPpd6dZNUx

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  XClient_encrypted_obf_bat.bat
- Size
  
  540KB
- MD5
  
  7691f0a3619e34794c2d9f8acd645e30
- SHA1
  
  666541b63a9f6b808765e45b1238a2935b3be7a8
- SHA256
  
  0c17eb3ab5d7fdff6fcde1fee32a4183ec0928aa7ae77a74b140a128ed671b84
- SHA512
  
  76750941a254405f4477f989315db2ba5507dc8a6bb6c1091b4f0510a884e637337d18d27910766b88ae1038a1dd36f2ecbddc504e8b6220522cc509fde9038e
- SSDEEP
  
  6144:qOaa4GFhnfN27m5lxsVjLLWHKTkrQk5zb9zRvphlQ0/vxiwEilMwDEh9HwOf6Lnr:QY7215Wbb9BXf7/BV7v
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan