xworm | c54430b097c3220bf89dceac9e0e4ecfa6ab95302b30830e0c4f0aa64d617267 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

61KB
Sample

230708-nc3lhafe31
MD5

654a9a23f94cdcfe31cdd98cd7e9dd1f
SHA1

3e7fab38617cce17abc79b5c87fbdd9597940cda
SHA256

c54430b097c3220bf89dceac9e0e4ecfa6ab95302b30830e0c4f0aa64d617267
SHA512

e75b67e6b907c58a5f55a308618ba7311114da347c0d48ff8a7304986348115d917d654e65a81903ef82d005ee548e43e35b74b78c3de54fe7e17d32ac20a87c
SSDEEP

1536:cfBPd1ylaxTobN2bN4R1DL66Z/TpYOR/P3:cf1ylsYgbNwlVT+ORn3

Score

10^/10

xworm persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20230703-en

xworm persistence rat trojan

windows7-x64

10 signatures

30 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20230703-en

xworm persistence rat trojan

windows10-2004-x64

11 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

WNIKO1-39869.portmap.host:39869

Attributes

install_file
USB.exe

Targets

- Target
  
  XClient.exe
- Size
  
  61KB
- MD5
  
  654a9a23f94cdcfe31cdd98cd7e9dd1f
- SHA1
  
  3e7fab38617cce17abc79b5c87fbdd9597940cda
- SHA256
  
  c54430b097c3220bf89dceac9e0e4ecfa6ab95302b30830e0c4f0aa64d617267
- SHA512
  
  e75b67e6b907c58a5f55a308618ba7311114da347c0d48ff8a7304986348115d917d654e65a81903ef82d005ee548e43e35b74b78c3de54fe7e17d32ac20a87c
- SSDEEP
  
  1536:cfBPd1ylaxTobN2bN4R1DL66Z/TpYOR/P3:cf1ylsYgbNwlVT+ORn3
Score

10^/10

xworm persistence rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy