Overview

overview

10

Static

static

1

z35awb_shipping.bat

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    z35awb_shipping.bat

  • Size

    91KB

  • Sample

    250520-1wvq8acr3w

  • MD5

    e3b482a015f3f7fb9c1853f67c2de7fd

  • SHA1

    feb4018e5a0deac27f074ede93d373455a5dacb4

  • SHA256

    1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7

  • SHA512

    5d25a027754d2ea0d5efe9a88b585880c3b845b255e913243e22c6dd97f19ebf7ca2853809025cd99d419cae8c986e519832009ac5b1288ccae1041ddb25e436

  • SSDEEP

    1536:ZqEuRW8rD+XNdZkbmEKUgXEXzICKUnFU0RYYFee0HaypNyl2m3Wacp5R/DiBffB4:ZduRRrWGHf2qeJ6yzyEOEHR/Ok

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

wealthytradesbanks.duckdns.org:3033

Mutex

3UlkrphpC1fTkFRi

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      z35awb_shipping.bat

    • Size

      91KB

    • MD5

      e3b482a015f3f7fb9c1853f67c2de7fd

    • SHA1

      feb4018e5a0deac27f074ede93d373455a5dacb4

    • SHA256

      1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7

    • SHA512

      5d25a027754d2ea0d5efe9a88b585880c3b845b255e913243e22c6dd97f19ebf7ca2853809025cd99d419cae8c986e519832009ac5b1288ccae1041ddb25e436

    • SSDEEP

      1536:ZqEuRW8rD+XNdZkbmEKUgXEXzICKUnFU0RYYFee0HaypNyl2m3Wacp5R/DiBffB4:ZduRRrWGHf2qeJ6yzyEOEHR/Ok

    Score
    10/10
    xwormdiscoveryexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    behavioral1

MITRE ATT&CK Enterprise v16

Tasks