xworm | 9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32 | Triage

Submit
Reports

Overview

overview

Static

static

NEVERLOSE ...EE.exe

windows10-2004-x64

NEVERLOSE ...EE.exe

windows10-1703-x64

NEVERLOSE ...EE.exe

windows7-x64

NEVERLOSE ...EE.exe

windows10-2004-x64

NEVERLOSE ...EE.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

NEVERLOSE CRACK FREE.exe
Size

66KB
Sample

240513-ksktvagb43
MD5

1cf87ed16775e956ca556f3948b535a7
SHA1

20fe1d6699242591b2c86dd3200718822fd4ccdf
SHA256

9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32
SHA512

a4daf6899c0fbead8cf32a9120860c3059f1c78164482db55c24293f361b2286be71c494a35409279ca7555e9c41ea394a3d426258562b5ed3c3ee9254689fb9
SSDEEP

1536:D8JtOqoPKs1e3YNhXwfQLbbtoIi45BMJ6COEhKKGx:D8JtOrCs4IN8IbxR5uOEwx

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

NEVERLOSE CRACK FREE.exe

Resource

win10v2004-20240426-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

30 seconds

Behavioral task

behavioral2

Sample

NEVERLOSE CRACK FREE.exe

Resource

win10-20240404-en

xworm execution persistence rat trojan

windows10-1703-x64

19 signatures

30 seconds

Behavioral task

behavioral3

Sample

NEVERLOSE CRACK FREE.exe

Resource

win7-20240508-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

30 seconds

Behavioral task

behavioral4

Sample

NEVERLOSE CRACK FREE.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

30 seconds

Behavioral task

behavioral5

Sample

NEVERLOSE CRACK FREE.exe

Resource

win11-20240508-en

xworm execution persistence rat trojan

windows11-21h2-x64

14 signatures

30 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
svhost.exe
pastebin_url
https://pastebin.com/raw/zw6Etn4T

Targets

- Target
  
  NEVERLOSE CRACK FREE.exe
- Size
  
  66KB
- MD5
  
  1cf87ed16775e956ca556f3948b535a7
- SHA1
  
  20fe1d6699242591b2c86dd3200718822fd4ccdf
- SHA256
  
  9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32
- SHA512
  
  a4daf6899c0fbead8cf32a9120860c3059f1c78164482db55c24293f361b2286be71c494a35409279ca7555e9c41ea394a3d426258562b5ed3c3ee9254689fb9
- SSDEEP
  
  1536:D8JtOqoPKs1e3YNhXwfQLbbtoIi45BMJ6COEhKKGx:D8JtOrCs4IN8IbxR5uOEwx
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

behavioral3

xwormexecutionpersistencerattrojan

behavioral4

xwormexecutionpersistencerattrojan

behavioral5

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy