xworm | d4822834f2b795a73ea0c7bb96ffab5cde0bd6c6416448a58bdbee2d96b205ba | Triage

Submit
Reports

Overview

overview

Static

static

1

UnbanMethod (1).vbs

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

UnbanMethod (1).vbs
Size

89KB
Sample

240326-x9qgwadc5z
MD5

72cf206b269b2c0b9e3a601f97b9ab8e
SHA1

1bc8a24ad5c25193a3c29eabf92a6ed0e3a16e85
SHA256

d4822834f2b795a73ea0c7bb96ffab5cde0bd6c6416448a58bdbee2d96b205ba
SHA512

cfff2a766553e77455bcc29400b62765a0eff9639720a6929fe1b27512d1a68e174907c2c49bcd57993cd0d7226815eb73af808d01377e71d1b6af59fdb92482
SSDEEP

1536:U6QBB7uew9rguJQNAdoPBurCM4khS/GL6aVh4HgHH5o3zweI:U6QH7Jw9vKAd7ODkhSsZVak5o3zwL

Score

10^/10

xworm persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

UnbanMethod (1).vbs

Resource

win11-20240221-en

xworm persistence rat trojan

windows11-21h2-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/MUARtvHT

Targets

- Target
  
  UnbanMethod (1).vbs
- Size
  
  89KB
- MD5
  
  72cf206b269b2c0b9e3a601f97b9ab8e
- SHA1
  
  1bc8a24ad5c25193a3c29eabf92a6ed0e3a16e85
- SHA256
  
  d4822834f2b795a73ea0c7bb96ffab5cde0bd6c6416448a58bdbee2d96b205ba
- SHA512
  
  cfff2a766553e77455bcc29400b62765a0eff9639720a6929fe1b27512d1a68e174907c2c49bcd57993cd0d7226815eb73af808d01377e71d1b6af59fdb92482
- SSDEEP
  
  1536:U6QBB7uew9rguJQNAdoPBurCM4khS/GL6aVh4HgHH5o3zweI:U6QH7Jw9vKAd7ODkhSsZVak5o3zwL
Score

10^/10

xworm persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy