xworm | bf1e9cc586973192afe5fd7c95b063d21870af1388da1d826a93c5efb7f010da | Triage

Sharing

Copy URL Twitter E-mail

General

Target

knc.zip
Size

7KB
Sample

231128-krvmnagf42
MD5

6203721dce5e9f3b79749a6d8fc1632c
SHA1

4e483503c2ade44bbae460bf127fc5390bd87562
SHA256

bf1e9cc586973192afe5fd7c95b063d21870af1388da1d826a93c5efb7f010da
SHA512

30eee71b5fcd20862b3cf2a4504d12d628f742237c6fc9ed631fdd942f7d22f10010b5869e7013017cbf6bb5778af08cf9ac28d477868bc4ed171efc4d3bd3f3
SSDEEP

96:e8TLcK4RadQ+HSzJhKBBfJ/IaO2mts1M7zEEUMgQSgTrQuxUpSQqmgwAsvtnSPWt:1aKWkZIa/QEEUMxSmHUpePccHW0fQtlp

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/674/364/original/vbsss.jpg?1700999331

exe.dropper

https://uploaddeimagens.com.br/images/004/674/364/original/vbsss.jpg?1700999331

Extracted

Family

xworm

Version

3.1

C2

freed12.duckdns.org:7000

Mutex

f9MuQijmg8E7F8xa

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  softbankNDNCagreementPDF.vbs
- Size
  
  198KB
- MD5
  
  d4a13ff61d8f00b0e18d6d0add1c5796
- SHA1
  
  681f3f3ec1537b3f1ae58921c8014cb7d23ce0c0
- SHA256
  
  d76e889cf2575622ca27fcb43a4bfd4df2dba3cfdd3175c28abdef00d541eaa3
- SHA512
  
  426511e9408474ce3923bad62e745b2a13bbe37a9f95d785ae3082afa163ecda02c14e6b2d6c8caae4a43bb8bed1386f4389a7fed32d3608d6386c3eec2d8537
- SSDEEP
  
  3072:e1XQyor2jokDq30ojrDq3YoT2bok2uoQ2EonDUoupCo82oo31oPioM7cotcjOeMH:1
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1