xworm | 4ab06ce2922222f591b776a0c6c332952ff24bbcf6f757692a6ed5f9b45cc67a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

XClient.exe

windows10-1703-x64

Sharing

General

Target

XClient.exe
Size

74KB
Sample

240426-g63p2aag2w
MD5

ef36a6fed3a555b4aee8288dbe0143ee
SHA1

b31be44e9e4767d7df123d742f32802aa343d0ec
SHA256

4ab06ce2922222f591b776a0c6c332952ff24bbcf6f757692a6ed5f9b45cc67a
SHA512

04d87228b20401ab5c7d36be3a217c09a413c671a28c016fa82fe5b19cf7b5579f15bf74212bd6a5fd141bb4e29897dc754bda20896323f8f60fc55a3e47a09c
SSDEEP

1536:JztsRxq5z5siBUx5bW1Y9JeaSlbaeQ5FPlREgs6aDOUgyoNFffxv0:dtsRxE5sMiWG96bap9EgEDOUeNFfx0

Score

10^/10

xworm evasion rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win10-20240404-en

xworm evasion rat trojan

windows10-1703-x64

28 signatures

600 seconds

Malware Config

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%AppData%
install_file
Client.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

- Target
  
  XClient.exe
- Size
  
  74KB
- MD5
  
  ef36a6fed3a555b4aee8288dbe0143ee
- SHA1
  
  b31be44e9e4767d7df123d742f32802aa343d0ec
- SHA256
  
  4ab06ce2922222f591b776a0c6c332952ff24bbcf6f757692a6ed5f9b45cc67a
- SHA512
  
  04d87228b20401ab5c7d36be3a217c09a413c671a28c016fa82fe5b19cf7b5579f15bf74212bd6a5fd141bb4e29897dc754bda20896323f8f60fc55a3e47a09c
- SSDEEP
  
  1536:JztsRxq5z5siBUx5bW1Y9JeaSlbaeQ5FPlREgs6aDOUgyoNFffxv0:dtsRxE5sMiWG96bap9EgEDOUeNFfx0
Score

10^/10

xworm evasion rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionrattrojan

© 2018-2025

Terms | Privacy