xworm | 71ffa8cbd2909f9ca192c76fbea4a473ecbdf7314e21c9953cc27710765000f5 | Triage

Submit
Reports

Overview

overview

Static

static

7

CG_Loader.exe

windows7-x64

8

CG_Loader.exe

windows10-2004-x64

Sharing

General

Target

CG_Loader.exe
Size

25.7MB
Sample

230320-1gmr3ahd9v
MD5

eacee266b414d217ca8869fa8eec977f
SHA1

4368546288967ce75133dad6514ee36713b50b29
SHA256

71ffa8cbd2909f9ca192c76fbea4a473ecbdf7314e21c9953cc27710765000f5
SHA512

9e39ecbc28492baf9294d4c6d7f1f8d9ffd04418754b0e599d42bd241d61e367e0f6e762f3b5fc607894e5e98e3a69939dd4fc3a8dcab0679915f93d82b1d09d
SSDEEP

393216:9eWP83C/eKN0l8btLZbpjw3srjhJ7FpRr/OB1UUWwcfwo2/S3TUFR5:9eT3eelexrdJBpQnUUewjcTUl

Score

10^/10

xworm evasion persistence rat trojan upx vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CG_Loader.exe

Resource

win7-20230220-en

evasion persistence upx vmprotect

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

CG_Loader.exe

Resource

win10v2004-20230220-en

xworm evasion persistence rat trojan upx vmprotect

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  CG_Loader.exe
- Size
  
  25.7MB
- MD5
  
  eacee266b414d217ca8869fa8eec977f
- SHA1
  
  4368546288967ce75133dad6514ee36713b50b29
- SHA256
  
  71ffa8cbd2909f9ca192c76fbea4a473ecbdf7314e21c9953cc27710765000f5
- SHA512
  
  9e39ecbc28492baf9294d4c6d7f1f8d9ffd04418754b0e599d42bd241d61e367e0f6e762f3b5fc607894e5e98e3a69939dd4fc3a8dcab0679915f93d82b1d09d
- SSDEEP
  
  393216:9eWP83C/eKN0l8btLZbpjw3srjhJ7FpRr/OB1UUWwcfwo2/S3TUFR5:9eT3eelexrdJBpQnUUewjcTUl
Score

10^/10

evasion persistence upx vmprotect xworm rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

New Service

Registry Run Keys / Startup Folder

Modify Existing Service

Hidden Files and Directories

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Impair Defenses

Install Root Certificate

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

evasionpersistenceupxvmprotect

behavioral2

xwormevasionpersistencerattrojanupxvmprotect

© 2018-2024

Terms | Privacy