▲ 9 r/LinkinPark
No More Sorrow at 2x speed Is a Different Song
Chester sounds like an angry squirrel. Can't unhear it now.
u/Next-Profession-7495 — 3 days ago
u/Next-Profession-7495
▲ 4 r/Malware
Behavioral Analysis: XWorm v6.5 RAT Dropper via Batch File
Hello,
I downloaded a sample from Malwarebazaar. It was a .bat file around 208.38 KB. I set it up into AnyRun, and started the analysis.
---
Threat Type: XWorm v6.5 (RAT) + Stealer sold as Malware-as-a-Service. Capabilities include credential theft, keylogging, screenshot capture, file exfiltration, and hijacking of crypto wallets and accounts.
Execution Process:
.batfile runs -> checks for sandbox usingfindstr.exe- Uses
certutil.exeto Base64-decode an embedded payload cscript.exeexecutes decoded VBScript, droppingsvchost.exe(fake) to %TEMP%- Payload launches, copies itself to
%APPDATA%\main.exeand the startup folder for persistence - Connects to C2 and sends system fingerprint via Telegram Bot API
IOCs
Dropper SHA256: dea6cfb3234780ceeea718787e027cc6d2de18cfead1f8cc234e0ad268987868
Dropped Payload SHA256: 7f2b0ffbc5b149b4f9858589763bacdebf63ea1b3a00532e9278d613f75462ea
- C2:
23.160(.)168.174:3212 - AES Key:
<666666> - Mutex:
XUH24Sz2TPub4OF4 - USB drop name:
XWorm V6.5 by c3lestial(.)fun
Full Analysis: https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c
u/Next-Profession-7495 — 7 days ago