Overview

overview

10

Static

static

1

Shipping_D...df.bat

windows7-x64

8

Shipping_D...df.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07032025_0116_Shipping_Documents.pdf.bat.zip

  • Size

    34KB

  • Sample

    250307-bv146sskz9

  • MD5

    3d26e139f9b6a8d1557dde9e86814121

  • SHA1

    49014777f54199edb62e9319b7aacf007b523ff6

  • SHA256

    9dce073765428a2d48eebf68eda9f67a94d6de41b41daae3a236416a1850b8c1

  • SHA512

    68f9b91751b81e95c079affbfcdcce40742b594fe7635f5d4e1c64e4d6ba3aca82e63df9f8c0072288d092e8e9e13abd097dd06e1e189152d93b04168837bc63

  • SSDEEP

    768:d1wSXTnjdCn4x/xvwgd4h38XcBZjb7St/EcKLIOVJATXXhxWZvG64fiGx:dGSjnY4x/xYU4hocnjbO5EcaIiJA778k

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expressblessingnow001.duckdns.org:3911

Mutex

RGibYsdTDFPkg2QK

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Shipping_Documents.pdf.bat

    • Size

      64KB

    • MD5

      09433b8bcc804eb2d86576f9064a37ef

    • SHA1

      17c9e11369e65e40e621061cde2da11e479d6aa4

    • SHA256

      370fe2362d5ffa4bbcf6dd32cfcfd744809f5ae9c951c6c66950da695f554679

    • SHA512

      d64cc7c3e095507d2ddfa324808b98db01463007ae2c6f6eb4e6523514340ba32d066f9ae1f46019c2a1787625c028bc369cebc3cbb8800650a4205c89ac28f8

    • SSDEEP

      1536:7ZlVZkbmEKUgXEXzICKUnFASrMO2hX47MtDt8TpEn3WK2op7BeX:7ZeHfiSWho7Mg9WMX

    Score
    10/10
    discoveryexecutionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks