xworm | 9d8507a5ce83a0584aaa7c349a1f04e54b0c0d15433c0e54c2c1b74078cd3b2c | Triage

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 11:28

Sharing

Report Analysis Logs

General

Target

HEUR-Trojan.MSIL.Witch.exe
Size

40KB
MD5

171e40f206b7543658fe0f26e03b9c65
SHA1

690892775cfb9254ec4ca0d4d8121d0728df0068
SHA256

9d8507a5ce83a0584aaa7c349a1f04e54b0c0d15433c0e54c2c1b74078cd3b2c
SHA512

8f8f971fd8dcc2b499afb92f5210bf85a1dd3d006721c189cf0c5c3d0fa2186d7ef084dda2876b2def33b9f56f13fd458825798c9412cd37f2f6735d6b8159e9
SSDEEP

768:V13So7suPUw1GmqwK1JUBkquxKdVC7+1RzdqS:VIruj1ygTCEbqS

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

194.228.111.236:7000

Mutex

wRWhbzj3MKqpmTKJ

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan.MSIL.Witch.exe	HEUR-Trojan.MSIL.Witch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan.MSIL.Witch.exe	HEUR-Trojan.MSIL.Witch.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Witch.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Witch.exe"
1⤵
- Drops startup file
PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4356-132-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/4356-133-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-134-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

Filesize
10.8MB

Download