Overview

overview

10

Static

static

10

a.ps1

windows7-x64

8

a.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.ps1

  • Size

    509B

  • Sample

    250307-fbgcwatyft

  • MD5

    5ffc54e178b40c65b7d2fb357492baf5

  • SHA1

    d59d533638f1a755fc37129796e7731ccb6206a8

  • SHA256

    7fe172c67413d3bcc1b2ae93b2cbd21eec0aa8a31198828c7dc04a310f9677cc

  • SHA512

    57bcc6b7e00d4638db2d99aef02d5c06c67aee0250db7c3b23fbafa0aaeca0e0df90df1d7258a9ba65db4077ed8548a7e7b391706e28086958e8d9d087d5111c

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.7.214.54/fg.exe

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411
aes.plain

Targets

    • Target

      a.ps1

    • Size

      509B

    • MD5

      5ffc54e178b40c65b7d2fb357492baf5

    • SHA1

      d59d533638f1a755fc37129796e7731ccb6206a8

    • SHA256

      7fe172c67413d3bcc1b2ae93b2cbd21eec0aa8a31198828c7dc04a310f9677cc

    • SHA512

      57bcc6b7e00d4638db2d99aef02d5c06c67aee0250db7c3b23fbafa0aaeca0e0df90df1d7258a9ba65db4077ed8548a7e7b391706e28086958e8d9d087d5111c

    Score
    10/10
    executionxwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks