Overview

overview

10

Static

static

3

powercheat (1).exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    powercheat (1).exe

  • Size

    29.4MB

  • Sample

    250328-zh8v9asqx6

  • MD5

    1812c9c8e1275450891c680c8cbb8dc9

  • SHA1

    be5d134a0931fa4e72b65c107b044c95b6deb52e

  • SHA256

    0cfc1a3806f651fb1f17ad1acd0cc406c3ffc7f0c12e698bb8c98878158d7dfb

  • SHA512

    19e5caca9bde72e0e2fb97968052cdbe7d0849d0fae11c2dc849c8da690b2442735edd8627c64da0b68f10db934b03ca8e4055f5e373d6fc07b0d0adb5d2c4ef

  • SSDEEP

    786432:h1/hzuWNxn5ZXCRcNFzCspP3CiOlg6w2br4Ao9lXTjEl1o0rOU:NuWNx5ZSR+R53CiOlg6Zbr4vzjRI

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:62949

pidoras123131-62949.portmap.host:62949
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7812594920:AAF8LiE_BAgLbrCBoONka4W_igE0Wo_lUEg/sendMessage?chat_id=7101392896

Targets

    • Target

      powercheat (1).exe

    • Size

      29.4MB

    • MD5

      1812c9c8e1275450891c680c8cbb8dc9

    • SHA1

      be5d134a0931fa4e72b65c107b044c95b6deb52e

    • SHA256

      0cfc1a3806f651fb1f17ad1acd0cc406c3ffc7f0c12e698bb8c98878158d7dfb

    • SHA512

      19e5caca9bde72e0e2fb97968052cdbe7d0849d0fae11c2dc849c8da690b2442735edd8627c64da0b68f10db934b03ca8e4055f5e373d6fc07b0d0adb5d2c4ef

    • SSDEEP

      786432:h1/hzuWNxn5ZXCRcNFzCspP3CiOlg6w2br4Ao9lXTjEl1o0rOU:NuWNx5ZSR+R53CiOlg6Zbr4vzjRI

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks