xworm | 3499cb420b4427901addf0c49bb2a156a0127835e6805cdb4567979c2f90cc1e | Triage

Sharing

General

Target

9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7.zip
Size

370KB
Sample

230321-r52fpadf2t
MD5

902fc859407f438bb6d07eb1e6bc5f82
SHA1

22f673748345b7a8818e6ec43bc81b0332ad4492
SHA256

3499cb420b4427901addf0c49bb2a156a0127835e6805cdb4567979c2f90cc1e
SHA512

3d07be9c22e3549ceb4b556b31cc817da3bf7e27ab099f7bbbb3c1be4a1d0be1df62bcae1fa5705ca7ce5cb95d7eba2e249eb7de7ff7c17071669d75a5bb7b15
SSDEEP

6144:wjCk7SMWnQcU+vjytud/A5IvikIsO3rPzvIoY7SeaJT4PCvPHEAbAfyY3X69owhw:wjCkxGpBGtuOLkmYoY7Se88KvPHlYtQw

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

103.187.4.59:62400

Mutex

4hR1Z1dxAKjfBlJg

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  00987654345678.exe
- Size
  
  833KB
- MD5
  
  a849578e8bd54ed3528453a03dcd8760
- SHA1
  
  fc3ea5f444fe938916b5be4cf50153950e793c12
- SHA256
  
  c6af80e6ed0b9f93b7e14e956dac74d7affe71097f9ab14786e8fdd0469f4d25
- SHA512
  
  846f8b31be8499ac17e42e9716bb6fa5b31003563f694c445ea55148855e0c0bc622b7c45049bd6b45b60d041a2ca2ef4f1dcbac0df829bc4684fdab208508b4
- SSDEEP
  
  12288:R4YIM64tl6UqjSds3Yfg8TgDJavO3LnXnvAQWWftmUsFVAZL/xtjk65ek2w5KM/:RkYnsd1dMyF/xtj75T2a
Score

10^/10

xworm rat trojan persistence
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan