xworm | 018c780a107fe4c716e1f20814f821bee4571f2059b8efed53fafe31cea3d671 | Triage

Submit
Reports

Overview

overview

Static

static

3

Dropper.exe

windows7-x64

3

Dropper.exe

windows10-2004-x64

Sharing

General

Target

Dropper.exe
Size

130KB
Sample

240515-ld13ysba2v
MD5

f5506ffbf34168afb8dc1d12d08a38fc
SHA1

4062954622406a6e29c52d31dea192c79f7fe7bf
SHA256

018c780a107fe4c716e1f20814f821bee4571f2059b8efed53fafe31cea3d671
SHA512

e455aa92a43b0946945ee22d93b50ed9dcd7dc0c2f0e02132d4bcb1c0b67c90a132c7372f293c2292a925564cbc44050fa4830934aeb4422147905a2462716ed
SSDEEP

1536:K1KTRyrsnRpBgO7JL+97UCnDCZI31QocZaROflkfe970KqwGzlbP3BEA89wtHc:K1U4whj67KqH5bP8B

Score

10^/10

xworm discovery exploit persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Dropper.exe

Resource

win7-20240508-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

Dropper.exe

Resource

win10v2004-20240508-en

xworm discovery exploit persistence rat trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

san-periods.gl.at.ply.gg:45994

Mutex

1BUzRXFjTnB3BgEr

Attributes

Install_directory
%AppData%
install_file
svvhost.exe

aes.plain

Targets

- Target
  
  Dropper.exe
- Size
  
  130KB
- MD5
  
  f5506ffbf34168afb8dc1d12d08a38fc
- SHA1
  
  4062954622406a6e29c52d31dea192c79f7fe7bf
- SHA256
  
  018c780a107fe4c716e1f20814f821bee4571f2059b8efed53fafe31cea3d671
- SHA512
  
  e455aa92a43b0946945ee22d93b50ed9dcd7dc0c2f0e02132d4bcb1c0b67c90a132c7372f293c2292a925564cbc44050fa4830934aeb4422147905a2462716ed
- SSDEEP
  
  1536:K1KTRyrsnRpBgO7JL+97UCnDCZI31QocZaROflkfe970KqwGzlbP3BEA89wtHc:K1U4whj67KqH5bP8B
Score

10^/10

xworm discovery exploit persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Possible privilege escalation attempt
  exploit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexploitpersistencerattrojan

© 2018-2024

Terms | Privacy