xworm

General

Target

euro trucl.rar
Size

18KB
Sample

240325-18g1wsac59
MD5

31aea72916bb69f4b8dce6f3b4e4eba0
SHA1

ad8401caac2d0f6fb86a6ae256ca0f7cc3ca2b42
SHA256

1cc0ef0dee2f14cf2388b8bfce7159875b282ea688cbeae390d1d4c9e3f283b6
SHA512

259b3a794e056b447cf860a3894e8beb7e06b85f2e6c2fad6ac6520245f87d809e0d416a038e35f2bcf44febc11393b2929aa59fa2f7f74d0c73a0429c91fde2
SSDEEP

384:0mtmXWZSgYk/yY6I0dGpNXUWu3VN5CKVQq3KxG+QoiVP0v4pFTYhxv7bR32:hmQS9k/JoknMLVQlE+QoiVP0Q0hZ7bZ2

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

7.tcp.eu.ngrok.io:5555

tcp://0.tcp.eu.ngrok.io:5555

tcp://7.tcp.eu.ngrok.io:5555

tcp://7.tcp.eu.ngrok:5555

Mutex

adjrfH0cSB1Lj6qH

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  euro trucl.rar
- Size
  
  18KB
- MD5
  
  31aea72916bb69f4b8dce6f3b4e4eba0
- SHA1
  
  ad8401caac2d0f6fb86a6ae256ca0f7cc3ca2b42
- SHA256
  
  1cc0ef0dee2f14cf2388b8bfce7159875b282ea688cbeae390d1d4c9e3f283b6
- SHA512
  
  259b3a794e056b447cf860a3894e8beb7e06b85f2e6c2fad6ac6520245f87d809e0d416a038e35f2bcf44febc11393b2929aa59fa2f7f74d0c73a0429c91fde2
- SSDEEP
  
  384:0mtmXWZSgYk/yY6I0dGpNXUWu3VN5CKVQq3KxG+QoiVP0v4pFTYhxv7bR32:hmQS9k/JoknMLVQlE+QoiVP0Q0hZ7bZ2
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  euro trucl/XClient.exe
- Size
  
  38KB
- MD5
  
  535b1f8b6220ad99bf4ea56f315d5a68
- SHA1
  
  c00009f4c7603e08a4ef6cf3e9c1fa4a55fea93c
- SHA256
  
  d9cb741d4cb7b946ee7a1a4f89c621b2104755244afdf2e7165aaf3dbc0c5ea4
- SHA512
  
  e060a9756270221112cfd30fa9050a9b4fc846b99ffeb325190ad3ec2dec79f480c321cf25859a62556e8aa897905621d2f0106e9bf5ffd1eaf4da5c34b1a947
- SSDEEP
  
  768:wGYW/ELQTUzgxA9nVHXT5n7FWPV9KvOMh8jAHr:LNW8ADXpFG9KvOMOy
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Detect Xworm Payload

Xworm

Drops startup file

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2