xworm | 8f8357d148b18d37c86c5aa9d9d0eb644f1f041ae30d576ff45b8732eec9a126 | Triage

Sharing

General

Target

Obfuscation.exe
Size

3.5MB
Sample

240427-tdfq1sdd4w
MD5

3ef77ccf451eae1d56741ebe6ae907e2
SHA1

c725bab6c49aab8489456d9fcf45425a302b7154
SHA256

8f8357d148b18d37c86c5aa9d9d0eb644f1f041ae30d576ff45b8732eec9a126
SHA512

8cb7a9fa370e67214bee0e713ea7189b0313895d90eb7b1e13bb0d04eb18e11aca9bcab6b17a95a80409a72a0e736915cdd2c5ca3b75fc974a6111d4f2d63e60
SSDEEP

49152:LtUa5j9wPntVvN/PYqaCdpssj7CSHvQNaQH6+z0i6:hUaadK

Score

10^/10

xworm persistence rat trojan

Malware Config

Targets

- Target
  
  Obfuscation.exe
- Size
  
  3.5MB
- MD5
  
  3ef77ccf451eae1d56741ebe6ae907e2
- SHA1
  
  c725bab6c49aab8489456d9fcf45425a302b7154
- SHA256
  
  8f8357d148b18d37c86c5aa9d9d0eb644f1f041ae30d576ff45b8732eec9a126
- SHA512
  
  8cb7a9fa370e67214bee0e713ea7189b0313895d90eb7b1e13bb0d04eb18e11aca9bcab6b17a95a80409a72a0e736915cdd2c5ca3b75fc974a6111d4f2d63e60
- SSDEEP
  
  49152:LtUa5j9wPntVvN/PYqaCdpssj7CSHvQNaQH6+z0i6:hUaadK
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan