xworm | 9c256e20d9183fc4b7aa42014223db21c1086ec4ac90d100f7b4d98cc60f68ee | Triage

Submit
Reports

Overview

overview

Static

static

3

Output.exe

windows7-x64

Output.exe

windows10-1703-x64

Output.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Output.exe
Size

160KB
Sample

230520-yqs94aed95
MD5

11470d4ddc09aef2e2f1d267e769ab01
SHA1

471bd5bc159c457d99310300c5721c46391c42b9
SHA256

9c256e20d9183fc4b7aa42014223db21c1086ec4ac90d100f7b4d98cc60f68ee
SHA512

4f53d0084f3b1db83afbe82882591d0c4026c64edd30e81f11b2a0592571e4fcf740323eb978a74d0940a2063146147c3e57b15339e9cc7c238350028a9e1d73
SSDEEP

3072:rp/WlSItg+6kpbx4MIHw5dZtz5h79NR5b:rpBItg+6kpFp621p

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Output.exe

Resource

win7-20230220-en

xworm persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Output.exe

Resource

win10-20230220-en

xworm persistence rat trojan

windows10-1703-x64

19 signatures

150 seconds

Behavioral task

behavioral3

Sample

Output.exe

Resource

win10v2004-20230221-en

xworm persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

67.61.188.116:7777

Attributes

install_file
USB.exe

Targets

- Target
  
  Output.exe
- Size
  
  160KB
- MD5
  
  11470d4ddc09aef2e2f1d267e769ab01
- SHA1
  
  471bd5bc159c457d99310300c5721c46391c42b9
- SHA256
  
  9c256e20d9183fc4b7aa42014223db21c1086ec4ac90d100f7b4d98cc60f68ee
- SHA512
  
  4f53d0084f3b1db83afbe82882591d0c4026c64edd30e81f11b2a0592571e4fcf740323eb978a74d0940a2063146147c3e57b15339e9cc7c238350028a9e1d73
- SSDEEP
  
  3072:rp/WlSItg+6kpbx4MIHw5dZtz5h79NR5b:rpBItg+6kpFp621p
Score

10^/10

xworm persistence rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

behavioral3

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy