Overview
overview
10Static
static
10XWorm v5.1-5.2.7z
windows7-x64
3XWorm v5.1-5.2.7z
windows10-2004-x64
7XWorm/XWor....1.exe
windows7-x64
10XWorm/XWor....1.exe
windows10-2004-x64
10XWorm/XWor...32.exe
windows7-x64
1XWorm/XWor...32.exe
windows10-2004-x64
10XWorm/XWor...64.exe
windows7-x64
1XWorm/XWor...64.exe
windows10-2004-x64
10XWorm/XWor...or.dll
windows7-x64
1XWorm/XWor...or.dll
windows10-2004-x64
1XWorm/XWor...NC.dll
windows7-x64
1XWorm/XWor...NC.dll
windows10-2004-x64
1XWorm/XWor...ry.dll
windows7-x64
1XWorm/XWor...ry.dll
windows10-2004-x64
1XWorm/XWor...ps.dll
windows7-x64
1XWorm/XWor...ps.dll
windows10-2004-x64
1XWorm/XWor...ns.dll
windows7-x64
1XWorm/XWor...ns.dll
windows10-2004-x64
1XWorm/XWor...er.dll
windows7-x64
1XWorm/XWor...er.dll
windows10-2004-x64
1XWorm/XWor...ps.dll
windows7-x64
1XWorm/XWor...ps.dll
windows10-2004-x64
1XWorm/XWor...ox.dll
windows7-x64
1XWorm/XWor...ox.dll
windows10-2004-x64
1XWorm/XWor...ne.dll
windows7-x64
1XWorm/XWor...ne.dll
windows10-2004-x64
1XWorm/XWor...sk.dll
windows7-x64
1XWorm/XWor...sk.dll
windows10-2004-x64
1XWorm/XWor....2.exe
windows7-x64
10XWorm/XWor....2.exe
windows10-2004-x64
10XWorm/XWor...32.exe
windows7-x64
1XWorm/XWor...32.exe
windows10-2004-x64
10General
-
Target
XWorm v5.1-5.2.7z
-
Size
54.5MB
-
Sample
240317-xhqcssdf4w
-
MD5
76219b3556e25086fc52f8e2b93fbd0c
-
SHA1
066a0f875820e51a60c3552a06b7b97f8bab6bbc
-
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
-
SHA512
ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
-
SSDEEP
786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE
Behavioral task
behavioral1
Sample
XWorm v5.1-5.2.7z
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XWorm v5.1-5.2.7z
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
XWorm/XWorm V5.2/IconExtractor.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
XWorm/XWorm V5.2/IconExtractor.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
XWorm/XWorm V5.2/Plugins/HVNC.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
XWorm/XWorm V5.2/Plugins/HVNC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XWorm/XWorm V5.2/Plugins/HVNCMemory.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XWorm/XWorm V5.2/Plugins/HVNCMemory.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
XWorm/XWorm V5.2/Plugins/HiddenApps.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
XWorm/XWorm V5.2/Plugins/HiddenApps.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
XWorm/XWorm V5.2/Plugins/Informations.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
XWorm/XWorm V5.2/Plugins/Informations.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
XWorm/XWorm V5.2/Plugins/Keylogger.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
XWorm/XWorm V5.2/Plugins/Keylogger.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
XWorm/XWorm V5.2/Plugins/Maps.dll
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
XWorm/XWorm V5.2/Plugins/Maps.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
XWorm/XWorm V5.2/Plugins/MessageBox.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
XWorm/XWorm V5.2/Plugins/MessageBox.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
XWorm/XWorm V5.2/Plugins/Microphone.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
XWorm/XWorm V5.2/Plugins/Microphone.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
XWorm/XWorm V5.2/Plugins/Ngrok-Disk.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
XWorm/XWorm V5.2/Plugins/Ngrok-Disk.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
XWorm/XWorm V5.2/XWorm V5.2.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
XWorm/XWorm V5.2/XWorm V5.2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
Resource
win7-20231129-en
Malware Config
Targets
-
-
Target
XWorm v5.1-5.2.7z
-
Size
54.5MB
-
MD5
76219b3556e25086fc52f8e2b93fbd0c
-
SHA1
066a0f875820e51a60c3552a06b7b97f8bab6bbc
-
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
-
SHA512
ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
-
SSDEEP
786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
XWorm/XWorm V5.1/XWorm V5.1.exe
-
Size
9.3MB
-
MD5
540a501c683c91729e712fe83cf4e92f
-
SHA1
d426473f486cd7b46ec8d3bae4a3f9b42f780f89
-
SHA256
567ac8995973807a1288847d357dd8014118f07194a4db64cccaeab5871d54e1
-
SHA512
25aa06429cc1272c1932e543d41563905964ef2b7dad9e6b0a13aee8c6fff5a4a9e9f4ba023435d265ddb36cdfebaca8efadfd8e9a3918747e29a2764e09a2a6
-
SSDEEP
196608:fHMCjsbDbqTw0l1s3PIump2n7lpQutrONgFETLU6Jz8p:fHaXYDXs3PIo7wutrMYEB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
-
Size
109KB
-
MD5
4241a6375a548b2a6b8c7bf749cb40a5
-
SHA1
32d938a053ac3a127c9d48128c2de8262ff2e6fc
-
SHA256
3ef2fc92e45af81d0de1515de17c1b58fa8904bdfaa6fa729547110e4b181ddc
-
SHA512
d2c5f1a2d993a193895a5c562aad7a297120dd0fe009d04faf6d45ae0e25c700607e78a3bc0f104f742744cd2a986acadc623b0d1eebbacd9145c9a48ace42b3
-
SSDEEP
1536:5V1PFOX0jrClW7PUYSmqSwqmyVttdGFQeOPigx:5V1PFu0jrCQn3qSwqmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
-
Size
109KB
-
MD5
4bf2058e2fe4ee6490873acd8d00fc71
-
SHA1
099f6cd30e1db09c0c51fad208a2c2706c6bd437
-
SHA256
53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea
-
SHA512
f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5
-
SSDEEP
1536:xPsDAsCSuhbXNBcqhZ6tJaW9lSr89qmyVttdGFQeOPigx:1s5maVJaWPSI9qmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.2/IconExtractor.dll
-
Size
10KB
-
MD5
640d8ffa779c6dd5252a262e440c66c0
-
SHA1
3252d8a70a18d5d4e0cc84791d587dd12a394c2a
-
SHA256
440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2
-
SHA512
e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32
-
SSDEEP
192:7f77J4cGYyfQknxLvIgyLY5xJeU5pPpZlEAs:HS2yINgyLYLJR5wl
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/HVNC.dll
-
Size
58KB
-
MD5
b5ea6d82ec2d4127124eb9467eb5ce16
-
SHA1
0a27f08f94a80024854721c73c7715af95581da7
-
SHA256
ecb1a845bc2e813193e628eea48738f2354eb1ce8902a092118aa48ea2ff4bc7
-
SHA512
ab459d26ce689d5c7fb533fb754b875896c214e0001ecc6e8b061f7cdaf1aec06400f66f506822775337a42b80f4e1e9ab008a658cfacc873cfa83eaab6f1880
-
SSDEEP
1536:qKtNhYe3TQz12BWR77E3WxD9IhETnYT3CW3:rNhYecz12BWR7WCrKB3
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/HVNCMemory.dll
-
Size
39KB
-
MD5
14ca9b8f7993924b77078e08ec0d5df5
-
SHA1
fb2b5717da357f6d13bb1127980c22bada68836a
-
SHA256
8ab3391fa5880be5991133416bae0d5b76daa2d43c8ff92ff44d6dda23386e57
-
SHA512
64aac1a872666bce5bb86144a6f96bb6905a2d900d76e8d2d6f1cf8b499baefd35c7fb4d6b5150d5717451c5ad632d677ae6f85737d334a7cebbd9d725c9964f
-
SSDEEP
768:hbsnFtMqFJAkIAW3fY3WNSrfaA9oQoy1bqLRPD:hYF1jARvGWNE/okcb
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/HiddenApps.dll
-
Size
45KB
-
MD5
c5efa70a04a026b9a2fa97b1ea43e840
-
SHA1
aab2de0ab74c12e04256ff2b113b062dc93179e6
-
SHA256
f9ef7709f34e944d99ca5bef6af1524d7cf3889894084b7ae61e9202f267a728
-
SHA512
1348d4ebd3ac5b56eb32820ee14f9aee20a43b7dc3d06dd7fd62c8f227b12a27d0c0376c7d858e78315cd92d17e588bc2e37648c04d146530db706e8b3c4ff1d
-
SSDEEP
768:zy37gsdDvMZ9+rdm2KExqbMYRQpWk/x0qqBi3X/G0gpfN3ff2oA:idDvML+r/rqbMYRQpl/x5qI/dEdX2J
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/Informations.dll
-
Size
22KB
-
MD5
310ba7a07953ed7f783e89bcff6197e3
-
SHA1
147aa53e0d7cb027e6c67fa50fcb0dc0c770e157
-
SHA256
b10616eb3f5e4b0ceffc696179cdb616c78ef970dedbac10845a39985c91a38a
-
SHA512
554ead0f700dd617eed6055a84ecad288c4779ab20206e7434a8f3443a03a95a501014cd52390eb57570c25ea2bd7a298b96e88e8550d10b2a5db4f9633af529
-
SSDEEP
384:24svJAz5thUNHcxxypeGQ/0n3TmyxhxJNSLSg4RjjoZ:24suz/LypeGQEjfNSQM
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/Keylogger.dll
-
Size
17KB
-
MD5
40ba99b80654259d0428c7e4f3645948
-
SHA1
8fa93e0f035694cd8e420aa2232aca859b3a2a6b
-
SHA256
3361bb2309e4ee31f14081bc170ac530e2ae9d1336026e736190a0304e2e77e4
-
SHA512
fc1deb29eea114e5a472102a51d49fa253a5c79821acffa930b30089ebecec4312437d4720b46e92149be2ce69aed57dc3939621a596ed6c413397363fa44ee7
-
SSDEEP
192:uCK9HKDyS0+NKdUxEIj1aq8fgYO1Lnq4Ur1XneDN6IW1Y6Up91KNN10UbnnSL2CV:K5Oe+4dw1IDMO4U5uD8Upih0yZCV
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/Maps.dll
-
Size
15KB
-
MD5
b74f037f6c6de44e817660922a3044fc
-
SHA1
eb5acc30d3f607193bd819e8c0cdaaf70295c5b4
-
SHA256
ccb32961b904a22c2531313ed7c3733d7288daab181074f034eb4c73a0958a65
-
SHA512
a547961b87ecdbc0f9bf02381f16e03795dc73eda744a86da2cc07c97d7f1b65642971347d1ca69f36ead63c3b9078b6e0f2ecb4b6f2178a3b9a62f3ffb76579
-
SSDEEP
384:/HC+Q4WPRdJElcjp8J4jtepa9BX/bS9E2:/HCbRdWle2C5x/u6
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/MessageBox.dll
-
Size
15KB
-
MD5
bde9c12607827e21c64e1d64033043b5
-
SHA1
d980614dda65f1f4c3a73d1f9c8162e597fcac4e
-
SHA256
2170fe155b56e362500ece32013bbf8d45d5dc93e689ab33d3612066c7450f75
-
SHA512
e015d9b915b748d1683c18621919161f9d495221c9bf788b661e3eeab60320ee0b0d9d64a393fafa47b521b484f0af2c9948f6dac0a9b7ef1e8910571e7e98eb
-
SSDEEP
192:kpDQ4tBCjRD6W2Y7gF/OF2glT/9r169G3m6IW1mX/j0rsVHvJsJtDdZKML2vW9:0QcRW2UVT/95gG3UX/j0ZyvW9
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/Microphone.dll
-
Size
540KB
-
MD5
747554e4ca902a8d18b797c2edcb43ed
-
SHA1
508d7c9f0b031a352a1a1f25d4c6abf4167392d5
-
SHA256
1f135bc57ea4f44bf8a37d66b42788bed5aba753c5cbd0b4d3349ede64abfc59
-
SHA512
deb3f480dc7febb1d9ff4ccdb1dd04d83e9fbe7e74fb0dd39d103dbe85fa0c434407ab032e9bca027e38a0f482d08308513cd821b09dc08aafafd905e97126fd
-
SSDEEP
6144:yF8i30ykMPoxBemtSQvAVYm8Ou/JgtKMV6fb78+Ommg8YCQ18aFgRWAdoYCY8gQg:uP32emtLAV8OXebgreL7AwuaruedUB
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/Plugins/Ngrok-Disk.dll
-
Size
7.0MB
-
MD5
4443f2173682ef836df2f89e1b44296e
-
SHA1
1b0db6530eb5c5404af614143f464d663382c2e4
-
SHA256
01e170bc479dc22cec4658a39067e001a72a974a4e562aca01162f82decd20b6
-
SHA512
7bb8df753fc3636d3b01f2145c1df553b34a427a9e07d4c563a1fb2e23480ba2d609658d6ca2c4deaa386feff8af741397a3cbdb15c28157c4cf4ba8244fb61f
-
SSDEEP
196608:+CsxED7kwTV6B/nCR7+AA3e5MryK5Rj1Bpw7Vdjz8wEO+Dl:+TED7/VEqt/A3TryARj1BpwLktl
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/XWorm V5.2.exe
-
Size
12.2MB
-
MD5
8b7b015c1ea809f5c6ade7269bdc5610
-
SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96
-
SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
-
SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
SSDEEP
196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
-
Size
109KB
-
MD5
f3b2ec58b71ba6793adcc2729e2140b1
-
SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2
-
SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
-
SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
SSDEEP
1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-