xworm | 3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581 | Triage

Submit
Reports

Overview

overview

Static

static

3

VapeClient.exe

windows10-2004-x64

Sharing

General

Target

VapeClient.exe
Size

7.3MB
Sample

240212-xzpgtscg52
MD5

9e2ffa3af2bf72a7cd5e9a95b249cc83
SHA1

5075c4740da04fac24a3c8a5de1d22712f0d221d
SHA256

3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581
SHA512

deefe184ebdb95d5dc5975d6599798e000c59177e0b8459540d29b7fd1a06af56f0a2ad7758d7ca4baa02d879fea5ca42616b89c1a67f398ad6be486ebc1223c
SSDEEP

196608:n88YX3g0lEYwY209wW75pVNOPRoJf7ENtCk:88YHg0l0Y20X75pVqqRET9

Score

10^/10

xworm persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

VapeClient.exe

Resource

win10v2004-20231215-en

xworm persistence rat trojan upx

windows10-2004-x64

17 signatures

1200 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
microsoftsoftware_sv.exe
pastebin_url
https://pastebin.com/raw/aj6A2kvb

Targets

- Target
  
  VapeClient.exe
- Size
  
  7.3MB
- MD5
  
  9e2ffa3af2bf72a7cd5e9a95b249cc83
- SHA1
  
  5075c4740da04fac24a3c8a5de1d22712f0d221d
- SHA256
  
  3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581
- SHA512
  
  deefe184ebdb95d5dc5975d6599798e000c59177e0b8459540d29b7fd1a06af56f0a2ad7758d7ca4baa02d879fea5ca42616b89c1a67f398ad6be486ebc1223c
- SSDEEP
  
  196608:n88YX3g0lEYwY209wW75pVNOPRoJf7ENtCk:88YHg0l0Y20X75pVqqRET9
Score

10^/10

xworm persistence rat trojan upx
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojanupx

© 2018-2024

Terms | Privacy