Overview

overview

10

Static

static

10

cf_verif.ps1

windows7-x64

8

cf_verif.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cf_verif.ps1

  • Size

    679B

  • Sample

    250307-sj5rnassav

  • MD5

    1b50d8010aab1860d73255e7857197b6

  • SHA1

    960be1f5e7d05216ce2a1fd8012a7434e1d9c47e

  • SHA256

    b18ed93dd979c6233b1ce6e195338a57243f2a71e6147311aaf06fccea1d20c7

  • SHA512

    af037b5aeb04a96f9af623b3a96baa76ea6b62792a7552cbf5ee7f9ad18f09b0085b8874c1a46ffbc710bca6bc6d2105a70196028fb76bf781b652433c212c40

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cf-prod-cap.cfd/aliu1.ps1

Extracted

Family

xworm

Version

5.0

C2

193.32.177.63:6000

Mutex

wwD0bshguVCRSd3k

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7238632531:AAGCQZAh03hAwOcuP9HUeoAP5AQV0o0tp24/sendMessage?chat_id=8080837794

aes.plain

Targets

    • Target

      cf_verif.ps1

    • Size

      679B

    • MD5

      1b50d8010aab1860d73255e7857197b6

    • SHA1

      960be1f5e7d05216ce2a1fd8012a7434e1d9c47e

    • SHA256

      b18ed93dd979c6233b1ce6e195338a57243f2a71e6147311aaf06fccea1d20c7

    • SHA512

      af037b5aeb04a96f9af623b3a96baa76ea6b62792a7552cbf5ee7f9ad18f09b0085b8874c1a46ffbc710bca6bc6d2105a70196028fb76bf781b652433c212c40

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks