xworm | e131f44ff3131bd01316cc0d99a0f36c3116adab6f0354ade58678a644c736bb | Triage

Submit
Reports

Overview

overview

Static

static

AC 3.exe

windows7-x64

AC 3.exe

windows10-2004-x64

Sharing

General

Target

AC 3.exe
Size

90KB
Sample

240428-mcdfyadg3s
MD5

676fbfb0698d8105b708e7fc902ec3ff
SHA1

1077cc7de056b570a2e117880884fddd8dcd5023
SHA256

e131f44ff3131bd01316cc0d99a0f36c3116adab6f0354ade58678a644c736bb
SHA512

0e052dfb608231b39a072f38ac169d6efafaac48b21101af13f5b2ac3b341ee83f5d7a50a36a598f01e2220b4799f00167a897487bc9db68badf27479743a07c
SSDEEP

1536:z3W5cwWRxDRuqJLOR4hvIFw9bdX0fT2to3/03JzTN6msCOlMe+DE56:z97DYsYAvGw9bdS2c/05z+COlb+Dc6

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

AC 3.exe

Resource

win7-20240215-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

AC 3.exe

Resource

win10v2004-20240419-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

artist-forum.gl.at.ply.gg:38847

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  AC 3.exe
- Size
  
  90KB
- MD5
  
  676fbfb0698d8105b708e7fc902ec3ff
- SHA1
  
  1077cc7de056b570a2e117880884fddd8dcd5023
- SHA256
  
  e131f44ff3131bd01316cc0d99a0f36c3116adab6f0354ade58678a644c736bb
- SHA512
  
  0e052dfb608231b39a072f38ac169d6efafaac48b21101af13f5b2ac3b341ee83f5d7a50a36a598f01e2220b4799f00167a897487bc9db68badf27479743a07c
- SSDEEP
  
  1536:z3W5cwWRxDRuqJLOR4hvIFw9bdX0fT2to3/03JzTN6msCOlMe+DE56:z97DYsYAvGw9bdS2c/05z+COlb+Dc6
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy