xworm | 7c5a8fc31217bad08b20cb8682bc68e32ba37061671dd9a2f71e4cfd6c9c4bb4 | Triage

Sharing

General

Target

XenarWare.exe
Size

126KB
Sample

240422-b4yqeadg97
MD5

ecb66b5490aa1bd639d941e1b0f771d0
SHA1

1978eca98549a3e3c3a7bac57aec7d5c4b88fbed
SHA256

7c5a8fc31217bad08b20cb8682bc68e32ba37061671dd9a2f71e4cfd6c9c4bb4
SHA512

b9e470a9ea19542e3674f96e27b1b97261d4b66a1a9eed2dbfe211d9726c0213b4ad03331893ed1bd628d046619dcbfd7c20d438d5c302ba597e22f92a168843
SSDEEP

3072:A/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSXb/:7tzsb5Uh28+V1WW69B9VjMdxPedN9ugT

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Mutex

sk3UbSOs3RzNpgph

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:33920

original-taught.gl.at.ply.gg:33920

Attributes

Install_directory
%AppData%
install_file
FreePornHubPremium.exe

Targets

- Target
  
  XenarWare.exe
- Size
  
  126KB
- MD5
  
  ecb66b5490aa1bd639d941e1b0f771d0
- SHA1
  
  1978eca98549a3e3c3a7bac57aec7d5c4b88fbed
- SHA256
  
  7c5a8fc31217bad08b20cb8682bc68e32ba37061671dd9a2f71e4cfd6c9c4bb4
- SHA512
  
  b9e470a9ea19542e3674f96e27b1b97261d4b66a1a9eed2dbfe211d9726c0213b4ad03331893ed1bd628d046619dcbfd7c20d438d5c302ba597e22f92a168843
- SSDEEP
  
  3072:A/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSXb/:7tzsb5Uh28+V1WW69B9VjMdxPedN9ugT
Score

10^/10

xworm persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan