xworm | 8117e22fbace37f3ed1dfdcc6567e655619970990acd0df94bd83996a7bdc957 | Triage

Submit
Reports

Overview

overview

Static

static

C437rPSQNV...pa.zip

windows11-21h2-x64

Sharing

General

Target

C437rPSQNVzgjPbIKiUZsEqostl9FnPve5mDqEpa.zip
Size

66.1MB
Sample

240427-patq9aab85
MD5

6c6cf43a66079c890cc9dd419efeae4f
SHA1

9675f1b6460cb16ea766335b83465b358255ee62
SHA256

8117e22fbace37f3ed1dfdcc6567e655619970990acd0df94bd83996a7bdc957
SHA512

1896eb26337ea92ee931a26c5d13e03df77a3a88deb1b5055aca158c3c0f8e74ed535e2790c7ec305335f6bd473c4dacb3cdb4ae1b661601b7f6389271bb4523
SSDEEP

1572864:mJVa7OvQzyw/liz3XkU+G7Ayf7EfuqDDadM14ygCzEg6ZS80h//:tOvQzywEzX55fksCAgsS8a//

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

C437rPSQNVzgjPbIKiUZsEqostl9FnPve5mDqEpa.zip

Resource

win11-20240426-en

xworm persistence rat trojan

windows11-21h2-x64

17 signatures

600 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/z5PQ82wE

Targets

- Target
  
  C437rPSQNVzgjPbIKiUZsEqostl9FnPve5mDqEpa.zip
- Size
  
  66.1MB
- MD5
  
  6c6cf43a66079c890cc9dd419efeae4f
- SHA1
  
  9675f1b6460cb16ea766335b83465b358255ee62
- SHA256
  
  8117e22fbace37f3ed1dfdcc6567e655619970990acd0df94bd83996a7bdc957
- SHA512
  
  1896eb26337ea92ee931a26c5d13e03df77a3a88deb1b5055aca158c3c0f8e74ed535e2790c7ec305335f6bd473c4dacb3cdb4ae1b661601b7f6389271bb4523
- SSDEEP
  
  1572864:mJVa7OvQzyw/liz3XkU+G7Ayf7EfuqDDadM14ygCzEg6ZS80h//:tOvQzywEzX55fksCAgsS8a//
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy