xworm | c6451291df83bdd8b0af55160337e37a0f82cc3611475c05728bc50cd9777a5d | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

245KB
Sample

240511-n99q3sab46
MD5

8514e447cbf1f4e469b068e00c081976
SHA1

63bf10cb68dec396255cb6c541c4120280c0b237
SHA256

c6451291df83bdd8b0af55160337e37a0f82cc3611475c05728bc50cd9777a5d
SHA512

68c75b3b2d74cb2fb154ba2c133fe0b2604aab553915d69348ba7c461558c6937b478dfaa208af30316744ba16f3c3f26b40e7fe9e4e6d993f9c8bb14402599b
SSDEEP

6144:6dfCUJQb8RaGHUhcX7elbKTua9bfF/H9d9n:VURaGH3X3u+

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20240508-en

xworm execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

140.99.97.156:7000

Attributes

Install_directory
%ProgramData%
install_file
VLC_Media.exe

Targets

- Target
  
  XClient.exe
- Size
  
  245KB
- MD5
  
  8514e447cbf1f4e469b068e00c081976
- SHA1
  
  63bf10cb68dec396255cb6c541c4120280c0b237
- SHA256
  
  c6451291df83bdd8b0af55160337e37a0f82cc3611475c05728bc50cd9777a5d
- SHA512
  
  68c75b3b2d74cb2fb154ba2c133fe0b2604aab553915d69348ba7c461558c6937b478dfaa208af30316744ba16f3c3f26b40e7fe9e4e6d993f9c8bb14402599b
- SSDEEP
  
  6144:6dfCUJQb8RaGHUhcX7elbKTua9bfF/H9d9n:VURaGH3X3u+
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy