xworm | 5fb96191ad7394700966c0854e3f1225b8b2989f528ce6993a747ff7a9cf2552 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Resubmissions

08-05-2024 18:11

240508-wsqkwage4w 10

08-05-2024 18:07

240508-wqltxaah47 10

Sharing

General

Target

XClient.exe
Size

67KB
Sample

240508-wqltxaah47
MD5

c9cd80d55733208fc06b8b52cddb52dc
SHA1

6cc60302d90e7d7661b5b194fa954efacba19d49
SHA256

5fb96191ad7394700966c0854e3f1225b8b2989f528ce6993a747ff7a9cf2552
SHA512

befca56bfce924e50c11f9d702ab2d6a6e05d55cd4399c4ac37891c1d337a43d05060f5cb9a1600fc4c172f7816fad14bc02e0c8d44eb82b55f61da4812cd0aa
SSDEEP

1536:n5ydgkcoaOOTxMH/W0WybZYgmH2r2i6urYiZOenvefZ3:FVxMfwybZ4rYXZOewZ3

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20240508-en

xworm execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20240226-en

xworm execution persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

silver-bowl.gl.at.ply.gg:29206

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  XClient.exe
- Size
  
  67KB
- MD5
  
  c9cd80d55733208fc06b8b52cddb52dc
- SHA1
  
  6cc60302d90e7d7661b5b194fa954efacba19d49
- SHA256
  
  5fb96191ad7394700966c0854e3f1225b8b2989f528ce6993a747ff7a9cf2552
- SHA512
  
  befca56bfce924e50c11f9d702ab2d6a6e05d55cd4399c4ac37891c1d337a43d05060f5cb9a1600fc4c172f7816fad14bc02e0c8d44eb82b55f61da4812cd0aa
- SSDEEP
  
  1536:n5ydgkcoaOOTxMH/W0WybZYgmH2r2i6urYiZOenvefZ3:FVxMfwybZ4rYXZOewZ3
Score

10^/10

xworm execution rat trojan persistence
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy