xworm | 49ea02a2e7f76432f2b474d07bbdd250543671e084e5e8c99a096b46af30d95d | Triage

Sharing

General

Target

tmp
Size

38KB
Sample

240127-q7m6eadee4
MD5

c07bd6f1db41c8a777f7315b254e9c42
SHA1

6151b17545888c1304e8b6b28a2071fe94c9e79f
SHA256

49ea02a2e7f76432f2b474d07bbdd250543671e084e5e8c99a096b46af30d95d
SHA512

83979cc3f66d72931815be5a283b754c7a972fd1dbcf0df500f93e3c4d221407a26b047e8c6ec9f65113f2846db0aad46d88bf3cf8a3b8c47d26a0485155f8dd
SSDEEP

384:uRpzjSrmqWzFVTD+i8cEv2uBLYRVAGpK94rFo1c0/pkFMAzNLTOZwg3OcvK9IbjD:iFuCzADYRy94Bo1cTFh9P8OMhS4j

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.133.57.122:7000

Mutex

pvC9E3QrtLsVzQQr

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  tmp
- Size
  
  38KB
- MD5
  
  c07bd6f1db41c8a777f7315b254e9c42
- SHA1
  
  6151b17545888c1304e8b6b28a2071fe94c9e79f
- SHA256
  
  49ea02a2e7f76432f2b474d07bbdd250543671e084e5e8c99a096b46af30d95d
- SHA512
  
  83979cc3f66d72931815be5a283b754c7a972fd1dbcf0df500f93e3c4d221407a26b047e8c6ec9f65113f2846db0aad46d88bf3cf8a3b8c47d26a0485155f8dd
- SSDEEP
  
  384:uRpzjSrmqWzFVTD+i8cEv2uBLYRVAGpK94rFo1c0/pkFMAzNLTOZwg3OcvK9IbjD:iFuCzADYRy94Bo1cTFh9P8OMhS4j
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan