xworm | 90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Client.exe

windows10-2004-x64

Client.exe

windows10-1703-x64

Client.exe

windows7-x64

Client.exe

windows10-2004-x64

Client.exe

windows11-21h2-x64

Sharing

General

Target

Client.exe
Size

327KB
Sample

240509-jq492aba84
MD5

abba6345ea0fb09de3cded81bec289ef
SHA1

5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA256

90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA512

8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
SSDEEP

6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

12 signatures

30 seconds

Behavioral task

behavioral2

Sample

Client.exe

Resource

win10-20240404-en

xworm execution persistence rat trojan

windows10-1703-x64

11 signatures

30 seconds

Behavioral task

behavioral3

Sample

Client.exe

Resource

win7-20240508-en

xworm execution persistence rat trojan

windows7-x64

11 signatures

30 seconds

Behavioral task

behavioral4

Sample

Client.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

12 signatures

30 seconds

Behavioral task

behavioral5

Sample

Client.exe

Resource

win11-20240426-en

xworm execution persistence rat trojan

windows11-21h2-x64

11 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

region-vip.gl.at.ply.gg:47649

increased-ted.gl.at.ply.gg:47649

Attributes

Install_directory
%ProgramData%
install_file
Steam.exe
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132

Targets

- Target
  
  Client.exe
- Size
  
  327KB
- MD5
  
  abba6345ea0fb09de3cded81bec289ef
- SHA1
  
  5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
- SHA256
  
  90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
- SHA512
  
  8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
- SSDEEP
  
  6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

behavioral3

xwormexecutionpersistencerattrojan

behavioral4

xwormexecutionpersistencerattrojan

behavioral5

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy