xworm

General

Target

c382a9b8a942145bb9cc963c5c1ab8fd53161fb9ac543e25477d41092acb668f.exe
Size

4.2MB
Sample

240405-b462sahe45
MD5

a24a8287aafe88f86ee58bde969db33c
SHA1

36ef8fac732c5208fe6e5b2fb767ac1dcc836eb7
SHA256

c382a9b8a942145bb9cc963c5c1ab8fd53161fb9ac543e25477d41092acb668f
SHA512

af0a085ff94faeabdb82b1011f13998daac68615b425528d9dab1d909a1302c01518060e24f27af9dcf0f1b9bcf60cecee71e3f8bc0980d6adc69ff28a8ce802
SSDEEP

98304:yQnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUP:y+Tn2qcUzp6UYeJRCxP

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:5050

character-acquisitions.gl.at.ply.gg:5050

Mutex

mwMjRzRXiqvikaW3

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  c382a9b8a942145bb9cc963c5c1ab8fd53161fb9ac543e25477d41092acb668f.exe
- Size
  
  4.2MB
- MD5
  
  a24a8287aafe88f86ee58bde969db33c
- SHA1
  
  36ef8fac732c5208fe6e5b2fb767ac1dcc836eb7
- SHA256
  
  c382a9b8a942145bb9cc963c5c1ab8fd53161fb9ac543e25477d41092acb668f
- SHA512
  
  af0a085ff94faeabdb82b1011f13998daac68615b425528d9dab1d909a1302c01518060e24f27af9dcf0f1b9bcf60cecee71e3f8bc0980d6adc69ff28a8ce802
- SSDEEP
  
  98304:yQnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUP:y+Tn2qcUzp6UYeJRCxP
Score

10^/10

xworm evasion rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables packed with Themida
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2