xworm | 40751536a5f6d6a98f181c1ccd19c3dcbd51a194d6ec282ab9141a3ee599c4a5 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

80KB
Sample

240420-zexc2shh8t
MD5

c2c1ba206377942b6b647f39d03904b9
SHA1

d0b9e4fb55ffdf2cb5a78b7e881d9ce641d9c17b
SHA256

40751536a5f6d6a98f181c1ccd19c3dcbd51a194d6ec282ab9141a3ee599c4a5
SHA512

83d885cd216d9e2a79e05b4270b85d1503f579548e4733ff5ae53bc1513a184345072f64216ad9445ebc2fa57af55b14277a845b1dfde152622fafbb91c07f05
SSDEEP

1536:RBeQHCHtsCRq1GS8+2KWUGPh8XGAWptciXuCx/sw9lp/bXK0apO5O6u7rsOE1aSE:neRNsCRq1GS8+2DGhP8V/9Xb6BpJYOEY

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win10v2004-20240412-en

xworm persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
System.exe
pastebin_url
https://pastebin.com/raw/erNS5DCf
telegram
https://api.telegram.org/bot6322711372:AAGbIfXFhlNS1SFeiUdz8wnaxv2bCiayqnI/sendMessage?chat_id=1098594855

Targets

- Target
  
  XClient.exe
- Size
  
  80KB
- MD5
  
  c2c1ba206377942b6b647f39d03904b9
- SHA1
  
  d0b9e4fb55ffdf2cb5a78b7e881d9ce641d9c17b
- SHA256
  
  40751536a5f6d6a98f181c1ccd19c3dcbd51a194d6ec282ab9141a3ee599c4a5
- SHA512
  
  83d885cd216d9e2a79e05b4270b85d1503f579548e4733ff5ae53bc1513a184345072f64216ad9445ebc2fa57af55b14277a845b1dfde152622fafbb91c07f05
- SSDEEP
  
  1536:RBeQHCHtsCRq1GS8+2KWUGPh8XGAWptciXuCx/sw9lp/bXK0apO5O6u7rsOE1aSE:neRNsCRq1GS8+2DGhP8V/9Xb6BpJYOEY
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy