xworm | 610e127f79bb023801c4964d5fb4ce85f8cc145f54be11eb3dbe685c5e927db0 | Triage

Submit
Reports

Overview

overview

Static

static

Mercurial.exe

windows10-1703-x64

Mercurial.exe

windows10-2004-x64

Mercurial.exe

windows11-21h2-x64

Sharing

General

Target

Mercurial.exe
Size

3.4MB
Sample

240425-bpph7acg34
MD5

098e9faf57bdcda0314e4f43cfbe9686
SHA1

3a245eedb31cafc62d3672885875489551b69283
SHA256

610e127f79bb023801c4964d5fb4ce85f8cc145f54be11eb3dbe685c5e927db0
SHA512

202e533c0a0a535add4e6a19a04b2fa36e486a3b058981d522cc2b961af4dd189d69f20cf77aebad31bc5e1eaef183a4ed6d6948c62ea7ceabd226a7c9fe05b1
SSDEEP

98304:hNkjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:hxzJpjS346t1bIfuq07

Score

10^/10

xworm agilenet rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Mercurial.exe

Resource

win10-20240404-en

xworm agilenet rat trojan

windows10-1703-x64

11 signatures

300 seconds

Behavioral task

behavioral2

Sample

Mercurial.exe

Resource

win10v2004-20240412-en

xworm agilenet rat trojan

windows10-2004-x64

12 signatures

300 seconds

Behavioral task

behavioral3

Sample

Mercurial.exe

Resource

win11-20240412-en

xworm agilenet rat trojan

windows11-21h2-x64

10 signatures

300 seconds

Malware Config

Extracted

Family

xworm

C2

147.185.221.17:53478

Attributes

Install_directory
%Temp%
install_file
Runbroker.exe

Targets

- Target
  
  Mercurial.exe
- Size
  
  3.4MB
- MD5
  
  098e9faf57bdcda0314e4f43cfbe9686
- SHA1
  
  3a245eedb31cafc62d3672885875489551b69283
- SHA256
  
  610e127f79bb023801c4964d5fb4ce85f8cc145f54be11eb3dbe685c5e927db0
- SHA512
  
  202e533c0a0a535add4e6a19a04b2fa36e486a3b058981d522cc2b961af4dd189d69f20cf77aebad31bc5e1eaef183a4ed6d6948c62ea7ceabd226a7c9fe05b1
- SSDEEP
  
  98304:hNkjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:hxzJpjS346t1bIfuq07
Score

10^/10

xworm agilenet rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormagilenetrattrojan

behavioral2

xwormagilenetrattrojan

behavioral3

xwormagilenetrattrojan

© 2018-2024

Terms | Privacy