xworm | ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666 | Triage

Submit
Reports

Overview

overview

Static

static

LbsClient.exe

windows7-x64

LbsClient.exe

windows10-2004-x64

Sharing

General

Target

LbsClient.exe
Size

63KB
Sample

230323-nyplrshc8z
MD5

762f2fc17465058d27010124bb425202
SHA1

1b6b701c9c09128886e4676c4f1e534c7db39ad9
SHA256

ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666
SHA512

329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932
SSDEEP

768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us

Score

10^/10

xworm persistence ransomware rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

LbsClient.exe

Resource

win7-20230220-en

xworm persistence ransomware rat trojan

windows7-x64

19 signatures

1800 seconds

Behavioral task

behavioral2

Sample

LbsClient.exe

Resource

win10v2004-20230220-en

xworm persistence rat trojan

windows10-2004-x64

9 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

ways-examining.at.ply.gg:18120

Attributes

install_file
USB.exe

Targets

- Target
  
  LbsClient.exe
- Size
  
  63KB
- MD5
  
  762f2fc17465058d27010124bb425202
- SHA1
  
  1b6b701c9c09128886e4676c4f1e534c7db39ad9
- SHA256
  
  ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666
- SHA512
  
  329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932
- SSDEEP
  
  768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us
Score

10^/10

xworm persistence ransomware rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormpersistenceransomwarerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy