Overview

overview

10

Static

static

1

999ec6f3dd...a9.bat

windows7-x64

8

999ec6f3dd...a9.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    999ec6f3dd5816786295500cd790941727bdaccb9640becf284938bda7cd73a9.bat

  • Size

    64KB

  • Sample

    250308-nyfzmawwfx

  • MD5

    fef11d117754e450b937fd134f9dba13

  • SHA1

    1024f7c99c81e39f0f53710d24e06ddea52082ad

  • SHA256

    999ec6f3dd5816786295500cd790941727bdaccb9640becf284938bda7cd73a9

  • SHA512

    db20ef27451bb79a9f21b9213e29e9ee40326c8b8dc28ba824a3aad3d901481ab18acd49d77ee0a2d68799853db5ed1ac9e76e8515070ee83632181a141a0bc4

  • SSDEEP

    1536:8nDChFG71EIZWgZkbmEKUgXEXzICKUnFT3mKHWCW7zxk7Qvc5MCzAlZt:DHft3mK2Cuzv/H

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tripplebanks.duckdns.org:3399

Mutex

bppouzbV7pFA6n72

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      999ec6f3dd5816786295500cd790941727bdaccb9640becf284938bda7cd73a9.bat

    • Size

      64KB

    • MD5

      fef11d117754e450b937fd134f9dba13

    • SHA1

      1024f7c99c81e39f0f53710d24e06ddea52082ad

    • SHA256

      999ec6f3dd5816786295500cd790941727bdaccb9640becf284938bda7cd73a9

    • SHA512

      db20ef27451bb79a9f21b9213e29e9ee40326c8b8dc28ba824a3aad3d901481ab18acd49d77ee0a2d68799853db5ed1ac9e76e8515070ee83632181a141a0bc4

    • SSDEEP

      1536:8nDChFG71EIZWgZkbmEKUgXEXzICKUnFT3mKHWCW7zxk7Qvc5MCzAlZt:DHft3mK2Cuzv/H

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks