xworm | 5690987418e7898137bb9f8e706d3ff8f196b1dc612be983012524235f64f6af | Triage

Submit
Reports

Overview

overview

Static

static

7

QZK RAT Free.zip

windows10-2004-x64

Resubmissions

21-11-2023 21:25

231121-z9p78agf85 10

16-04-2023 14:14

230416-rj2vbsca6z 10

Sharing

General

Target

QZK RAT Free.zip
Size

135.8MB
Sample

231121-z9p78agf85
MD5

137b00100757794f85bfd997700ee1e8
SHA1

0d558b31fbe2e90babd7cdd4058d53ec66fa60de
SHA256

5690987418e7898137bb9f8e706d3ff8f196b1dc612be983012524235f64f6af
SHA512

f7283e2e1cdbff26e4c2ecca2f990c72d0703412472cccf0212c81bbf9a0979ee2e3ac6c55f1324cbab98b27392776f49319e6bbc84d7784138d89f29353bb8e
SSDEEP

3145728:AgC3YNSUW9fG+SbOeuzqHc3C6JDnnTj/Xi8BiVsspOMZ0kr+tQzapQG8KAt086UD:AgCasqOeLc3C6JbP/XiTo3krnglgD

Score

10^/10

xworm agilenet rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

QZK RAT Free.zip

Resource

win10v2004-20231020-en

xworm agilenet rat trojan

windows10-2004-x64

21 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

p4J8ovqVoF5gUN8J

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  QZK RAT Free.zip
- Size
  
  135.8MB
- MD5
  
  137b00100757794f85bfd997700ee1e8
- SHA1
  
  0d558b31fbe2e90babd7cdd4058d53ec66fa60de
- SHA256
  
  5690987418e7898137bb9f8e706d3ff8f196b1dc612be983012524235f64f6af
- SHA512
  
  f7283e2e1cdbff26e4c2ecca2f990c72d0703412472cccf0212c81bbf9a0979ee2e3ac6c55f1324cbab98b27392776f49319e6bbc84d7784138d89f29353bb8e
- SSDEEP
  
  3145728:AgC3YNSUW9fG+SbOeuzqHc3C6JDnnTj/Xi8BiVsspOMZ0kr+tQzapQG8KAt086UD:AgCasqOeLc3C6JbP/XiTo3krnglgD
Score

10^/10

xworm agilenet rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormagilenetrattrojan

© 2018-2024

Terms | Privacy