Overview
overview
10Static
static
10XWorm v5.1-5.2.7z
windows7-x64
3XWorm v5.1-5.2.7z
windows10-2004-x64
7XWorm/XWor....1.exe
windows7-x64
10XWorm/XWor....1.exe
windows10-2004-x64
10XWorm/XWor...xe.xml
windows7-x64
1XWorm/XWor...xe.xml
windows10-2004-x64
1XWorm/XWor...32.exe
windows7-x64
1XWorm/XWor...32.exe
windows10-2004-x64
7XWorm/XWor...config
windows7-x64
3XWorm/XWor...config
windows10-2004-x64
3XWorm/XWor...64.exe
windows7-x64
1XWorm/XWor...64.exe
windows10-2004-x64
10XWorm/XWor...config
windows7-x64
3XWorm/XWor...config
windows10-2004-x64
3XWorm/XWor...ib.dll
windows7-x64
1XWorm/XWor...ib.dll
windows10-2004-x64
1XWorm/XWor...or.dll
windows7-x64
1XWorm/XWor...or.dll
windows10-2004-x64
1XWorm/XWor....2.exe
windows7-x64
10XWorm/XWor....2.exe
windows10-2004-x64
10XWorm/XWor...32.exe
windows7-x64
1XWorm/XWor...32.exe
windows10-2004-x64
10XWorm/XWor...64.exe
windows7-x64
1XWorm/XWor...64.exe
windows10-2004-x64
10General
-
Target
XWorm v5.1-5.2.7z
-
Size
54.5MB
-
Sample
240317-xl3gjadg5s
-
MD5
76219b3556e25086fc52f8e2b93fbd0c
-
SHA1
066a0f875820e51a60c3552a06b7b97f8bab6bbc
-
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
-
SHA512
ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
-
SSDEEP
786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE
Behavioral task
behavioral1
Sample
XWorm v5.1-5.2.7z
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XWorm v5.1-5.2.7z
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe.xml
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
XWorm/XWorm V5.1/XWorm V5.1.exe.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe.config
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe.config
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe.config
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe.config
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
XWorm/XWorm V5.2/RVGLib.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
XWorm/XWorm V5.2/RVGLib.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
XWorm/XWorm V5.2/SimpleObfuscator.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
XWorm/XWorm V5.2/SimpleObfuscator.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
XWorm/XWorm V5.2/XWorm V5.2.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
XWorm/XWorm V5.2/XWorm V5.2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
XWorm/XWorm V5.2/XWormLoader 5.2 x64.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
XWorm v5.1-5.2.7z
-
Size
54.5MB
-
MD5
76219b3556e25086fc52f8e2b93fbd0c
-
SHA1
066a0f875820e51a60c3552a06b7b97f8bab6bbc
-
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
-
SHA512
ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
-
SSDEEP
786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWorm V5.1.exe
-
Size
9.3MB
-
MD5
540a501c683c91729e712fe83cf4e92f
-
SHA1
d426473f486cd7b46ec8d3bae4a3f9b42f780f89
-
SHA256
567ac8995973807a1288847d357dd8014118f07194a4db64cccaeab5871d54e1
-
SHA512
25aa06429cc1272c1932e543d41563905964ef2b7dad9e6b0a13aee8c6fff5a4a9e9f4ba023435d265ddb36cdfebaca8efadfd8e9a3918747e29a2764e09a2a6
-
SSDEEP
196608:fHMCjsbDbqTw0l1s3PIump2n7lpQutrONgFETLU6Jz8p:fHaXYDXs3PIo7wutrMYEB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWorm V5.1.exe.config
-
Size
183B
-
MD5
66f09a3993dcae94acfe39d45b553f58
-
SHA1
9d09f8e22d464f7021d7f713269b8169aed98682
-
SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
-
SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
Score1/10 -
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe
-
Size
109KB
-
MD5
4241a6375a548b2a6b8c7bf749cb40a5
-
SHA1
32d938a053ac3a127c9d48128c2de8262ff2e6fc
-
SHA256
3ef2fc92e45af81d0de1515de17c1b58fa8904bdfaa6fa729547110e4b181ddc
-
SHA512
d2c5f1a2d993a193895a5c562aad7a297120dd0fe009d04faf6d45ae0e25c700607e78a3bc0f104f742744cd2a986acadc623b0d1eebbacd9145c9a48ace42b3
-
SSDEEP
1536:5V1PFOX0jrClW7PUYSmqSwqmyVttdGFQeOPigx:5V1PFu0jrCQn3qSwqmyBeu
Score7/10-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe.config
-
Size
187B
-
MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab
-
SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
-
SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
-
SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
Score3/10 -
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe
-
Size
109KB
-
MD5
4bf2058e2fe4ee6490873acd8d00fc71
-
SHA1
099f6cd30e1db09c0c51fad208a2c2706c6bd437
-
SHA256
53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea
-
SHA512
f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5
-
SSDEEP
1536:xPsDAsCSuhbXNBcqhZ6tJaW9lSr89qmyVttdGFQeOPigx:1s5maVJaWPSI9qmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe.config
-
Size
187B
-
MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab
-
SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
-
SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
-
SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
Score3/10 -
-
-
Target
XWorm/XWorm V5.2/RVGLib.dll
-
Size
241KB
-
MD5
d34c13128c6c7c93af2000a45196df81
-
SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1
-
SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
-
SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
SSDEEP
6144:4vJ05NPsvienBaRWxomAElbgu6Cqe2ZBePW9J:4u6iABa+iu32ne
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/SimpleObfuscator.dll
-
Size
1.4MB
-
MD5
9043d712208178c33ba8e942834ce457
-
SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1
-
SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
-
SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65
-
SSDEEP
24576:FDy7cKOfkiRrXP5WtJvW1mpjSWr7uoZme1V86:+8/AtJes1LJ
Score1/10 -
-
-
Target
XWorm/XWorm V5.2/XWorm V5.2.exe
-
Size
12.2MB
-
MD5
8b7b015c1ea809f5c6ade7269bdc5610
-
SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96
-
SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
-
SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
SSDEEP
196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
-
Size
109KB
-
MD5
f3b2ec58b71ba6793adcc2729e2140b1
-
SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2
-
SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
-
SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
SSDEEP
1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm/XWorm V5.2/XWormLoader 5.2 x64.exe
-
Size
109KB
-
MD5
e6a20535b636d6402164a8e2d871ef6d
-
SHA1
981cb1fd9361ca58f8985104e00132d1836a8736
-
SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
-
SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
SSDEEP
1536:TYogSlNwXosKwOYtV1AS9m3xQyVGNNiLkWNF7XxFqmyVttdGFQeOPigx:TvgSlqGS9m3xQyKNbWNV3qmyBeu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-