Overview

overview

10

Static

static

1

cmd.bat

windows7-x64

10

cmd.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cmd.bat

  • Size

    179B

  • Sample

    250307-fbmjwstyfv

  • MD5

    de7481e65ab0afc6d3928aeed6b20b7d

  • SHA1

    9590ec1a379ae574c161aadc5ece66c185adb072

  • SHA256

    89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096

  • SHA512

    65ca342a1251c7954cc74877155afacc9d111b1039f3a773e07f5dcf6b98b76eb1147fd6091152f5ffd827b1bb4971d9d80c295bb744c2199c475d71f536cf67

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.54/a.mp4

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411
aes.plain

Targets

    • Target

      cmd.bat

    • Size

      179B

    • MD5

      de7481e65ab0afc6d3928aeed6b20b7d

    • SHA1

      9590ec1a379ae574c161aadc5ece66c185adb072

    • SHA256

      89e11b195c89fc104208da51765503cc941c169ef118c8180d268dd1ecf8d096

    • SHA512

      65ca342a1251c7954cc74877155afacc9d111b1039f3a773e07f5dcf6b98b76eb1147fd6091152f5ffd827b1bb4971d9d80c295bb744c2199c475d71f536cf67

    Score
    10/10
    executionxwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks