xworm | 4a4d26e08aa1c6c3d48c41b699ee35ebd995e8d02ad82d2a963d9d744fc2ea55 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

170KB
Sample

231223-qpf95sbedr
MD5

4224b88ac80817579e20d6380f8b46b8
SHA1

2df2058419ffaf82c8a8eb46477028f06833d805
SHA256

4a4d26e08aa1c6c3d48c41b699ee35ebd995e8d02ad82d2a963d9d744fc2ea55
SHA512

1c72ca4a1a8517de08d9d3ec227486bd436ad71d3b40aadcb51445b4adc643d129e605cd8e63b2725ee9cf61475cf371f98067a549d23936ef8c9cf0b455a21e
SSDEEP

3072:3MQDojMFGu+UbFKBeIrH/O2eohM+lmsolAIrRuw+mqv9j1MWLQI:LLl+UbF6fa+lDAA

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20231215-en

xworm rat trojan

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20231215-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

ezhack-60175.portmap.io:5460

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  XClient.exe
- Size
  
  170KB
- MD5
  
  4224b88ac80817579e20d6380f8b46b8
- SHA1
  
  2df2058419ffaf82c8a8eb46477028f06833d805
- SHA256
  
  4a4d26e08aa1c6c3d48c41b699ee35ebd995e8d02ad82d2a963d9d744fc2ea55
- SHA512
  
  1c72ca4a1a8517de08d9d3ec227486bd436ad71d3b40aadcb51445b4adc643d129e605cd8e63b2725ee9cf61475cf371f98067a549d23936ef8c9cf0b455a21e
- SSDEEP
  
  3072:3MQDojMFGu+UbFKBeIrH/O2eohM+lmsolAIrRuw+mqv9j1MWLQI:LLl+UbF6fa+lDAA
Score

10^/10

xworm rat trojan persistence
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy