xworm

Resubmissions

20-05-2023 17:02

230520-vkggkadg24 10

20-05-2023 16:58

230520-vg8fwagc2z 3

20-05-2023 16:56

230520-vf35rsgb8s 6

Sharing

Copy URL

Twitter E-mail

General

Target

12.bat
Size

49B
Sample

230520-vkggkadg24
MD5

354ee47d9b7f0877aaecd8db36e01468
SHA1

9bd07f39a7b4980f4565c6a3a47f15d783707df0
SHA256

6ae2b903b9e73ecac6542c15a01cfa044c06ff575b8f86e44e03140a35bea87f
SHA512

20735574ef7634039d9de979e088193eb63d0682c602d2ecaa0296b72e5636de41b53a802d6ce205fc7334c7716c4add716de87205500c0384a55a5265a653f7

Score

10^/10

Malware Config

Extracted

Family

xworm

classic-lovers.at.ply.gg:11647

Attributes

install_file
AnyDesk.exe

Targets

- Target
  
  12.bat
- Size
  
  49B
- MD5
  
  354ee47d9b7f0877aaecd8db36e01468
- SHA1
  
  9bd07f39a7b4980f4565c6a3a47f15d783707df0
- SHA256
  
  6ae2b903b9e73ecac6542c15a01cfa044c06ff575b8f86e44e03140a35bea87f
- SHA512
  
  20735574ef7634039d9de979e088193eb63d0682c602d2ecaa0296b72e5636de41b53a802d6ce205fc7334c7716c4add716de87205500c0384a55a5265a653f7
Score

10^/10

xworm evasion rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2