xworm | dac0285f7cc9ae45f5c79314a20853c5d9e1071bf657260f7fa34ae8f35a2ec9 | Triage

Sharing

General

Target

awb_post_dhl_delivery_documents_07_03_2025_00000000000250507.bat
Size

64KB
Sample

250307-fejmeavnt7
MD5

6ac676101e5cc6f9b723060ffafd7168
SHA1

d1f888277d5a627862316a8a81d90e1a3dd19ee2
SHA256

dac0285f7cc9ae45f5c79314a20853c5d9e1071bf657260f7fa34ae8f35a2ec9
SHA512

8a5417c33e37cce7c58e3dc132d24104b6a9599e2788df9ca3e040b04241ae82d77c4709baa210cc06b638dd6a1ab188f27928db93df203b6b14e9c1a43d41cd
SSDEEP

1536:IZkbmEKUgXEXzICKUnFP25y3Nm8RiepC+gR1LKT6x6bsLO:lHflwYigiHKTW6bsLO

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  awb_post_dhl_delivery_documents_07_03_2025_00000000000250507.bat
- Size
  
  64KB
- MD5
  
  6ac676101e5cc6f9b723060ffafd7168
- SHA1
  
  d1f888277d5a627862316a8a81d90e1a3dd19ee2
- SHA256
  
  dac0285f7cc9ae45f5c79314a20853c5d9e1071bf657260f7fa34ae8f35a2ec9
- SHA512
  
  8a5417c33e37cce7c58e3dc132d24104b6a9599e2788df9ca3e040b04241ae82d77c4709baa210cc06b638dd6a1ab188f27928db93df203b6b14e9c1a43d41cd
- SSDEEP
  
  1536:IZkbmEKUgXEXzICKUnFP25y3Nm8RiepC+gR1LKT6x6bsLO:lHflwYigiHKTW6bsLO
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan