xworm | 805e0ca3893a53aa5086b2f0ea2ab4f49a6d60efc575836e93c8f70035740d1b | Triage

Sharing

General

Target

IMG-203110112.IMG
Size

1.4MB
Sample

230420-twz8daba63
MD5

edb79859cc0e91143bc1ccdd33f07710
SHA1

798c10e23943769af45f568599d9a2ffcc11dc63
SHA256

805e0ca3893a53aa5086b2f0ea2ab4f49a6d60efc575836e93c8f70035740d1b
SHA512

ab50527cbbbc42bac7bf1c47897e60e93bfe54fbafb9df7777f539656871e138ebf4302956a291355d88e9cea87b39d951594e6d39531d971cbc6557a410a758
SSDEEP

12288:RWmaQfFJeDYFPQC1nOw6/iZyubeDmFiFVVfHVpNtrjb+Vf7SJo7lfELkNCCtPzMI:GTCfJnGbDwKNd8H

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

severdops.ddns.net:7021

Mutex

eQLeuanC5v31k1hC

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  IMG_2031.EXE
- Size
  
  816KB
- MD5
  
  1817e46e5a422e9132a04db8fec73a0c
- SHA1
  
  31c2f9de7b5b05cc322512fd9beadd7c7e525f6d
- SHA256
  
  60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054
- SHA512
  
  b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712
- SSDEEP
  
  12288:oWmaQfFJeDYFPQC1nOw6/iZyubeDmFiFVVfHVpNtrjb+Vf7SJo7lfELkNCCtPzMI:NTCfJnGbDwKNd8H
Score

10^/10

xworm persistence rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan