xworm | 511434d4178f6b01f150cf3afab9fdbc062a177d78469fb6bd27b3c87fc98c67 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

2c2f38b667...e2.exe

windows7-x64

2c2f38b667...e2.exe

windows10-2004-x64

Sharing

General

Target

f24a4d5b6036a3de2eba88868bd771f2.bin
Size

3.2MB
Sample

240312-fan2bsae65
MD5

cfa125d30451777922f57b2746848d0b
SHA1

12f36a2db29268492ff012afd1e20f795205d3db
SHA256

511434d4178f6b01f150cf3afab9fdbc062a177d78469fb6bd27b3c87fc98c67
SHA512

9318630a7ecbefdff4bee68317077f72a0eab10405a133367d51c434de20576dc7c6c2cae0f20a3270f340caed33905eb6ef09af00ce31b758ab50c674d6bb88
SSDEEP

49152:dcFTYQ1hRx9s0mmXkw7UUWVVnceUJasKJDCO8+/oOE1CnhrLpNklK6Mw0M0cUTe:d2zxC0mw7wnKJasKRCWoO0Gh3SKnMH

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe

Resource

win7-20240221-en

xworm persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe

Resource

win10v2004-20240226-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2.exe
- Size
  
  3.3MB
- MD5
  
  f24a4d5b6036a3de2eba88868bd771f2
- SHA1
  
  3048d822d2b80d66284d1446052da0ba2be27d9e
- SHA256
  
  2c2f38b6679224281d1f9a0bee4ac5db26f845e0d0eb74c0caa2d994411ee7e2
- SHA512
  
  17a245a0c5e70982ea5f479319417864e122d3febbdf16d310d42b7f9acb8d7135fdf9c34082cd42858a4b98e696ec02d17b69deb249e8ed0cdfab26ec909bfc
- SSDEEP
  
  49152:rbAa/I9L1n4OjdXalpe85gqWa4CRFaMQRh/7hK+OWp7W+qYp9foZWHyeHxYMp5FN:ga/K1Fa71qrMFO3DgCjqWQZWSmeMTPH
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy