xworm | be8c72e77bd4a9453a3ffbf89383ca1487c650c3eb006b8c58e5e6490089b38c | Triage

Sharing

General

Target

BlitzedPrem.zip
Size

5.3MB
Sample

230403-rbsxfsfb67
MD5

7c73dbaf4675062445763268ae30fd50
SHA1

6a26872339fc0cecee551c81317cd40fcfb30cbd
SHA256

be8c72e77bd4a9453a3ffbf89383ca1487c650c3eb006b8c58e5e6490089b38c
SHA512

93ac3e0594c1ecd17579e9dd52ecdbd47c68fdde7a9a2a362f82e3c13f4eb2aa42ed8072de4b21eece9c75a460ba8b2fb79d66acd55b3ab78e3b12ff91efb653
SSDEEP

98304:jbDchxaZZXeYfaXv/zEvWNk9Od2/pfFz2zy24/SU1xyhuoYIDhMKJYPg:vDoaZZOYe/4We9o2952OHDwNJdJX

Score

10^/10

xworm agilenet persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

104.129.24.110:55226

Attributes

install_file
USB.exe

Targets

- Target
  
  APIFOR.DLL
- Size
  
  13KB
- MD5
  
  91b4d211faddb0ebc64fb000d75d96c1
- SHA1
  
  ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c
- SHA256
  
  e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de
- SHA512
  
  3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919
- SSDEEP
  
  192:NVjzYtxJYPX7OdfdnHpZt8kit/2Y3ciPYEC3qHa:NVgbkXK5NHpZikit/NYE4qHa
Score

1^/10
behavioral1 behavioral2
- Target
  
  BlitzedGrabberV14.exe
- Size
  
  4.1MB
- MD5
  
  62d761cb656ca111e5ce8ff8fb0d9176
- SHA1
  
  9c2b3438b84f4548f17f9ce231e54d02c1c887c6
- SHA256
  
  f070d635935054fb870319048b05750ba50135fe524fbad96b95f209e46928a2
- SHA512
  
  81ffaebd9a912a93e119542fc54297cc48d972a4a894ed458d00a942ac325ee861a43ec4bf9babb3ecfde1a98500413d03f6f821b1a5263ebe7eea8e9be9a5f0
- SSDEEP
  
  98304:2VniOdxVbQXti+ahvsWAno3COfOoEa6fY2hU2LOql6J5/uo:2VniCVbQdibsfoyOGoQw2e06tN
Score

10^/10

xworm rat trojan persistence
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  Costura.dll
- Size
  
  4KB
- MD5
  
  501981c7fc457d59238eb99780efb615
- SHA1
  
  f1f25c01f6acf33bdd62c4f82d3ef078e76f0906
- SHA256
  
  41bb464ac7c0d192641077e44a59d7d89860c3c620a59961f2fc4a4be47deae3
- SHA512
  
  5921d0662add6c8aa075106878cc56335ccbf059d8bc7f359fe9e02a52ec657c3e5df1c718929564c09f205e4bd299b086f3e7424141f5e55ed0d756f65ee1e8
- SSDEEP
  
  48:6F+lni2qJfjVRPGwzCo4MhTN0KDdilETrVsH4/QWk1qyFVT2IbG:7g7KedGEiYIWM2
Score

1^/10
behavioral5 behavioral6
- Target
  
  DiscordRPC.dll
- Size
  
  82KB
- MD5
  
  6fb17d5ac180f59aad3067097aba5c72
- SHA1
  
  501d3a253c4555319aa2379ea10172f3d4b7227e
- SHA256
  
  0083db1250991e06ca30017c7574921463920681e8f42ed1b2fcdada1515326c
- SHA512
  
  543319ad7b01f3a8c770c05501cc037f08d74c8992e960585ccd6e8477fd41ec4551227932e6cd8784ee026c010a59fc66450df4af1a3826fa66b5aa0f8e70f9
- SSDEEP
  
  768:Rclwg3ZKGYDPq4tot/AdKLExFCChWiVIhZTpuwGkAmJijcJRMrk568X+mRxHJSNN:EWrshExFEiVIJGkJ5PMoD+mRxpSNN
Score

1^/10
behavioral7 behavioral8
- Target
  
  Guna.UI2.dll
- Size
  
  1.9MB
- MD5
  
  0f07705bd42d86d77dab085c42775244
- SHA1
  
  7e4b5c367183f4753a8d610e353c458c3def3888
- SHA256
  
  cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
- SHA512
  
  851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
- SSDEEP
  
  24576:m8Yq6KN2liAVp0j4DuJPbTzcH7DlktjfEzgKxGgcKM8Q3xajfgY236RYgPNsP:drCqfE0KctKM8Qv6RYgPY
Score

1^/10
behavioral10 behavioral9
- Target
  
  Newtonsoft.Json.dll
- Size
  
  685KB
- MD5
  
  081d9558bbb7adce142da153b2d5577a
- SHA1
  
  7d0ad03fbda1c24f883116b940717e596073ae96
- SHA256
  
  b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
- SHA512
  
  2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
- SSDEEP
  
  12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score

1^/10
behavioral11 behavioral12
- Target
  
  Sodium.dll
- Size
  
  59KB
- MD5
  
  fa95d735f88e819edc0cef02d3ee4781
- SHA1
  
  9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7
- SHA256
  
  bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a
- SHA512
  
  554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b
- SSDEEP
  
  1536:CjCH26g5fMVJXJO466QZmtQLrG3HbK7HIN8xmZ/zuXohMU6i3HFkdEpy:CmH26gr466HtQMbK7HIN8xmZ/zuXohML
Score

1^/10
behavioral13 behavioral14
- Target
  
  System.Diagnostics.DiagnosticSource.dll
- Size
  
  34KB
- MD5
  
  8d9df432109f1cfdd86723b5f171e3d7
- SHA1
  
  85dc92edd4b0049ed9049e075c4def8a3d64e43b
- SHA256
  
  d22133818a30313e0becf010d78a556a56b34ea361dbd33588c9817631fed540
- SHA512
  
  5c83303934eecfa61c43a071d29c98e5804d37a5dc7f7b035772d6a168b0c5e65dfabef20b46214e65493c4bda44831cafee83615498fbe9e718c884f4650edf
- SSDEEP
  
  384:iQobG82oiaPaf/gn5LQ0+0zdQUv2CtyW8fiFISWbW9pWJbWivT1Nq0GftpBjAvnC:nA299fI5dxzL2CC11vimvnEBBNFT
Score

1^/10
behavioral15 behavioral16
- Target
  
  Vestris.ResourceLib.dll
- Size
  
  75KB
- MD5
  
  6ceb6c2788498c18d43deff634a7cbe4
- SHA1
  
  bf13d97c49552fa35b0fc5550f4dd3442cf9fe7a
- SHA256
  
  6d4df46db20da580ca269ae94bbecb93ae1162da1c6b4cbc86850185f8ae156c
- SHA512
  
  8573376f7a93e116773e0cfc186b6b79c834537e2d2c2c32512f1edf684dc1bb7a71b23be074eabceaabe54025c74e877fd46ffd6fa4806e82cf418b89a2673e
- SSDEEP
  
  1536:4SHviIDAqoPf5lYvBE7+IXIKr/3RxOcVVG3vKZYgmC8ITPzw3fowk6drYMOHaJIp:4SHvPDAqoPf5lYvBE7+IXXr/hxOcVVGE
Score

1^/10
behavioral17 behavioral18
- Target
  
  dnlib.dll
- Size
  
  1.1MB
- MD5
  
  4d0b771879de85137ee7e5f0d4bb4b16
- SHA1
  
  fc32cccd0cd5c3ebd968bcdf48e32a7ea25e9bd7
- SHA256
  
  962332e8c8cb459fb2f7dacec5d7a618cc53b1b49bc1740156398c89742f43fd
- SHA512
  
  bae39862ea07ebc5c9aa07a7333a880471baf4bf52eebedc03536e45584887eecc1075e0c0171229a54900ab93a66db9f666aa631c160912f538666da8c9e980
- SSDEEP
  
  24576:0eTHIbE7MJp9VuObrLhR4r9gBLKzcWQSv7fwlwhe:U1JoQJR4rm6k
Score

1^/10
behavioral19 behavioral20
- Target
  
  libsodium-64.dll
- Size
  
  397KB
- MD5
  
  5416694767519df7a2c7dec09f7c17fc
- SHA1
  
  88b7aac0b466571efa649c390c340860d2b15f93
- SHA256
  
  0c44cdd6581b94910d7440193b8f5d9804e679afdb814801ab0d7b828c5d41d7
- SHA512
  
  0e14f014645382d5d8d4c458b003146137f50de53668bbc1cdef621c5421d0c164cdc41a612b2bc337aceb2c55089de237099358b57c8ea50ea706961f93fd30
- SSDEEP
  
  6144:SeN0vm45+XnEKVDYcoYx93ebHWITzPMZV50DErQxqVE:/N0vkEiYWmH9s2DOE
Score

1^/10
behavioral21 behavioral22
- Target
  
  libsodium.dll
- Size
  
  477KB
- MD5
  
  4f6426e3626d5d46fb19c13043cb84de
- SHA1
  
  9dfa32f957c19c843a568b57d555d6d5cbc61579
- SHA256
  
  7a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba
- SHA512
  
  7a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832
- SSDEEP
  
  12288:U5PlaOdmbSUHsuijq4BxhK4Y/OfY6QyMDEh:U597q4Q/OfYUMEh
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

xwormpersistencerattrojan

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24