xworm | 823a46b99ae7f1302e71de1b375e40c721481d7f69779a25cb0b15b53564f3cd | Triage

Sharing

General

Target

Runtime_Broker.bat
Size

272KB
Sample

240419-xq1thadf2z
MD5

72a727ab70c538ce90817288c1b37452
SHA1

a095af10523110e887c1b199abf157857bce32ac
SHA256

823a46b99ae7f1302e71de1b375e40c721481d7f69779a25cb0b15b53564f3cd
SHA512

61228347d58088dc7f12a4e5246075a9baf504421ef308aac0ba11b48ab3e55dba6f5475854ca2ff83504802e9b0d19aecf68cd8e144a3cc1b593a54c2d22217
SSDEEP

6144:gK4e1skyYUV3FEivyHLB2KSM4dWeD0SGb9i3oqWs:gM5yYUVSivMLB2KSM4wedIabf

Score

10^/10

xworm persistence rat trojan

Malware Config

Targets

- Target
  
  Runtime_Broker.bat
- Size
  
  272KB
- MD5
  
  72a727ab70c538ce90817288c1b37452
- SHA1
  
  a095af10523110e887c1b199abf157857bce32ac
- SHA256
  
  823a46b99ae7f1302e71de1b375e40c721481d7f69779a25cb0b15b53564f3cd
- SHA512
  
  61228347d58088dc7f12a4e5246075a9baf504421ef308aac0ba11b48ab3e55dba6f5475854ca2ff83504802e9b0d19aecf68cd8e144a3cc1b593a54c2d22217
- SSDEEP
  
  6144:gK4e1skyYUV3FEivyHLB2KSM4dWeD0SGb9i3oqWs:gM5yYUVSivMLB2KSM4wedIabf
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan