xworm | c117ef22e808617d41b198ea747f076544fe76f462daed5661fb82f5e961a53a | Triage

Submit
Reports

Overview

overview

Static

static

3

4068-b5a63e850a.exe

windows7-x64

4068-b5a63e850a.exe

windows10-2004-x64

Sharing

General

Target

4068-b5a63e850a.exe
Size

1.2MB
Sample

240419-11ln4shf2y
MD5

342a7e60e3f8f8791b3dd9644b93dee0
SHA1

121d05ca9da60a4515f46631de63c4f75dc7b3ef
SHA256

c117ef22e808617d41b198ea747f076544fe76f462daed5661fb82f5e961a53a
SHA512

1f41e89bc33885295b78926df1dc439cddd071568834cfa0326545eff8a77ff5fffbe44def1ae4aed85beb64a4ac367c91bacae524727f770e57eb0a81b17881
SSDEEP

12288:pv0nlOSP8S/Ek52ZxaXGu16UX6wcRtTShzG9IlaNr/PC4e4vKvwCz2aaOWHdWs/+:p0kg/b5pXGWDXuOl3vbBpj/5Mm52e+

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4068-b5a63e850a.exe

Resource

win7-20240221-en

xworm persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

4068-b5a63e850a.exe

Resource

win10v2004-20240412-en

xworm persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

Secretly512-24905.portmap.host:24905

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Targets

- Target
  
  4068-b5a63e850a.exe
- Size
  
  1.2MB
- MD5
  
  342a7e60e3f8f8791b3dd9644b93dee0
- SHA1
  
  121d05ca9da60a4515f46631de63c4f75dc7b3ef
- SHA256
  
  c117ef22e808617d41b198ea747f076544fe76f462daed5661fb82f5e961a53a
- SHA512
  
  1f41e89bc33885295b78926df1dc439cddd071568834cfa0326545eff8a77ff5fffbe44def1ae4aed85beb64a4ac367c91bacae524727f770e57eb0a81b17881
- SSDEEP
  
  12288:pv0nlOSP8S/Ek52ZxaXGu16UX6wcRtTShzG9IlaNr/PC4e4vKvwCz2aaOWHdWs/+:p0kg/b5pXGWDXuOl3vbBpj/5Mm52e+
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy