xworm | 16a8928df1da51875715a7bf50162f5601b0a7e6ed357d5c5919188affaa7774 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

4f49150cb8...de.exe

windows7-x64

4f49150cb8...de.exe

windows10-2004-x64

Sharing

General

Target

912a9f5960f78c14a1bfe528860b5cc5.bin
Size

563KB
Sample

231114-czpglsga8w
MD5

0559bafa89a04e06653a01cdcb3672df
SHA1

8346447f999c7623bec2363da17442789359bbc3
SHA256

16a8928df1da51875715a7bf50162f5601b0a7e6ed357d5c5919188affaa7774
SHA512

56d416972f18e89477eb8f4786230b9e0b33dde5639ea1ee3e372348db5f334a563dfcfc1b97b58d063d0663649744152a1a27943dd05924a3a7e6d12982aa3d
SSDEEP

12288:vqpNGarSiq4wQ4CWz45VQKaMO3QRmphCRKXhahT6FgNNkN:ybDrBDw/gDZadZphMKXK6yPkN

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe

Resource

win7-20231025-en

xworm persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe

Resource

win10v2004-20231023-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
- Size
  
  753KB
- MD5
  
  912a9f5960f78c14a1bfe528860b5cc5
- SHA1
  
  6e23c3b72f56358efc066b6ae60d173902a0f033
- SHA256
  
  4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde
- SHA512
  
  0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352
- SSDEEP
  
  12288:2ufjVpNKUF3OjhlYnf8KPGNaTp7WeqCdmgzKrQXOxTXbebLw7:2sGQOjhlYUUGkp7FzO
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy