xworm | 1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0 | Triage

Submit
Reports

Overview

overview

Static

static

nigger.exe

windows7-x64

nigger.exe

windows10-2004-x64

Sharing

General

Target

nigger.exe
Size

41KB
Sample

240428-dcy8zaeh6t
MD5

7820f5d5245b72be9f24ed477f87287b
SHA1

84ce2f3d43accdfb55916e7ec6faf3cab9ed2497
SHA256

1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
SHA512

68d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
SSDEEP

768:cTFHrDMQVZYwCxJAuwKFjHKShtF5PG9+zqOwhj3EuX3:6wQEdrAulzKSTFI9+zqOwNFX3

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

nigger.exe

Resource

win7-20240221-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

nigger.exe

Resource

win10v2004-20240419-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:38630

147.185.221.19:38630

bay-currencies.gl.at.ply.gg:38630

and-organized.gl.at.ply.gg:38630

community-excess.gl.at.ply.gg:38630

Mutex

uhdZU70lXCRBT2pC

Attributes

Install_directory
%AppData%
install_file
runbroker.exe

aes.plain

Targets

- Target
  
  nigger.exe
- Size
  
  41KB
- MD5
  
  7820f5d5245b72be9f24ed477f87287b
- SHA1
  
  84ce2f3d43accdfb55916e7ec6faf3cab9ed2497
- SHA256
  
  1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
- SHA512
  
  68d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
- SSDEEP
  
  768:cTFHrDMQVZYwCxJAuwKFjHKShtF5PG9+zqOwhj3EuX3:6wQEdrAulzKSTFI9+zqOwNFX3
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy