xworm | e300cdc65dde1e6def171e9a88096f74efc7e6437fab37ad53e3cab5cfd81329 | Triage

Sharing

General

Target

awb_post_dhl_delivery_documents.pdf.bat
Size

64KB
Sample

250307-thf8casyfs
MD5

5badf099818dadbd971715163ca64bd9
SHA1

6064c6a53bc49018a8e1d58349b5e02b6e8e41cf
SHA256

e300cdc65dde1e6def171e9a88096f74efc7e6437fab37ad53e3cab5cfd81329
SHA512

b043a6e4f5a260a29217252d3ed5f4a374a7a7dba2607e64ba0c4ab551e6c590602590efe1ff096ae67329a19bc6c6e3b6c2738fa9b1cc6cd797749c26850a36
SSDEEP

1536:g2bQApZkbmEKUgXEXzICKUnFB8Y+Rw1VG3VnlLKA1wW9EmV:g2bQAoHfzz1sJJKcumV

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

freeetradingzone.duckdns.org:3911

Mutex

WrODfHPJku8Xvqoy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  awb_post_dhl_delivery_documents.pdf.bat
- Size
  
  64KB
- MD5
  
  5badf099818dadbd971715163ca64bd9
- SHA1
  
  6064c6a53bc49018a8e1d58349b5e02b6e8e41cf
- SHA256
  
  e300cdc65dde1e6def171e9a88096f74efc7e6437fab37ad53e3cab5cfd81329
- SHA512
  
  b043a6e4f5a260a29217252d3ed5f4a374a7a7dba2607e64ba0c4ab551e6c590602590efe1ff096ae67329a19bc6c6e3b6c2738fa9b1cc6cd797749c26850a36
- SSDEEP
  
  1536:g2bQApZkbmEKUgXEXzICKUnFB8Y+Rw1VG3VnlLKA1wW9EmV:g2bQAoHfzz1sJJKcumV
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan