xworm | 243ec139d5bf3be07a6b027a569791b06fe20a3e508a2b0dc80cc939c89c3e83 | Triage

Submit
Reports

Overview

overview

Static

static

0478f9d1d2...4e.exe

windows7-x64

0478f9d1d2...4e.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

0478f9d1d2feebe286fd8c497705fd4e.bin
Size

72KB
Sample

231128-beamaaea73
MD5

0478f9d1d2feebe286fd8c497705fd4e
SHA1

9172687b6966bd12a4c0ee9714df03762336898f
SHA256

243ec139d5bf3be07a6b027a569791b06fe20a3e508a2b0dc80cc939c89c3e83
SHA512

a2b3de335d8bdbf8106c25bc62ed9305ff2c7416d35c0b7fc15fb55e0ad8c20ae179fc2cbcadfa88efaf27bb842d800142305ee6e0e3f7a7e7024e500fe1b4aa
SSDEEP

1536:k7AzsLBevNuWk9C360ybbibtr5EaO46s3X9Om1OZiKT6VE:k0zaevNuW8FdbOb0xe9OmIsImE

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

0478f9d1d2feebe286fd8c497705fd4e.exe

Resource

win7-20231023-en

xworm persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

0478f9d1d2feebe286fd8c497705fd4e.exe

Resource

win10v2004-20231127-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8080

Attributes

Install_directory
%Userprofile%
install_file
1XClie1nt.exe

Targets

- Target
  
  0478f9d1d2feebe286fd8c497705fd4e.bin
- Size
  
  72KB
- MD5
  
  0478f9d1d2feebe286fd8c497705fd4e
- SHA1
  
  9172687b6966bd12a4c0ee9714df03762336898f
- SHA256
  
  243ec139d5bf3be07a6b027a569791b06fe20a3e508a2b0dc80cc939c89c3e83
- SHA512
  
  a2b3de335d8bdbf8106c25bc62ed9305ff2c7416d35c0b7fc15fb55e0ad8c20ae179fc2cbcadfa88efaf27bb842d800142305ee6e0e3f7a7e7024e500fe1b4aa
- SSDEEP
  
  1536:k7AzsLBevNuWk9C360ybbibtr5EaO46s3X9Om1OZiKT6VE:k0zaevNuW8FdbOb0xe9OmIsImE
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy