Overview

overview

10

Static

static

3

t.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    t.exe

  • Size

    16.1MB

  • Sample

    250308-cenpks1jw4

  • MD5

    79478cd85097af98b283da65a51e90a6

  • SHA1

    e5afffd315eb5aefdf5ee0c8a34a4c2c8062d864

  • SHA256

    bb8ca04452ebab8e2aadb0e2af145ae1bfbfe78d733057cb0a6d0b13ceb68074

  • SHA512

    6a8f041981daa4d94ea7535bdaa40a96c511a2c3ad4877a9d961e752e9aebb96a35f67cca5f4d3398e71217b4d0bd41056481b66643399609babe5ffb52f60c7

  • SSDEEP

    393216:c9YiicgwR1FfHqO1UyXMCHWUjlVg74w45fPVBFHCRJc8:c9YiPXiyXMb8PDw45fPVqRO8

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

thetest.selfhost.co:1339

Mutex

hyd6qZsPPsPPgljc

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    DirectOutputService.exe

aes.plain

Targets

    • Target

      t.exe

    • Size

      16.1MB

    • MD5

      79478cd85097af98b283da65a51e90a6

    • SHA1

      e5afffd315eb5aefdf5ee0c8a34a4c2c8062d864

    • SHA256

      bb8ca04452ebab8e2aadb0e2af145ae1bfbfe78d733057cb0a6d0b13ceb68074

    • SHA512

      6a8f041981daa4d94ea7535bdaa40a96c511a2c3ad4877a9d961e752e9aebb96a35f67cca5f4d3398e71217b4d0bd41056481b66643399609babe5ffb52f60c7

    • SSDEEP

      393216:c9YiicgwR1FfHqO1UyXMCHWUjlVg74w45fPVBFHCRJc8:c9YiPXiyXMb8PDw45fPVqRO8

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks