xworm | 9d28016366915abcb761788b5945736bc06d48a52d7f4199ebe3ad37fca7a5ca | Triage

Submit
Reports

Overview

overview

Static

static

1

S949757965.vbs

windows7-x64

8

S949757965.vbs

windows10-2004-x64

Sharing

General

Target

15052024_1514_14052024_S949757965.zip
Size

340KB
Sample

240515-smqrxafb4w
MD5

ecdbb7706a0796fe04f416c5ab13bee8
SHA1

158623cb23b471aa52af4502c6670b13996884d6
SHA256

9d28016366915abcb761788b5945736bc06d48a52d7f4199ebe3ad37fca7a5ca
SHA512

232373ef24003ca31b60b299256b2643a5e64c9aa6d98ebe9049723834e169a7409394b5db3e4b89c9d674863d403cb879b3e02bbd50f68d8df4fbb119ac35bc
SSDEEP

768:rFwV6iUxqGWjuGunAssIf9vzW8p1XObDltt3mcRkpAr/IAuWuqnqpxLvfe:rF95qGWjqASfN5p1ebDN2krAAu82zW

Score

10^/10

xworm zgrat persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

S949757965.vbs

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

S949757965.vbs

Resource

win10v2004-20240508-en

xworm zgrat persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xw9402may.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

5w6Cp63r66k4Jxsj

Attributes

install_file
USB.exe

aes.plain

aes.plain

Targets

- Target
  
  S949757965.vbs
- Size
  
  300.0MB
- MD5
  
  7d69463758d7daa176c7f0c2d7464b79
- SHA1
  
  529d7c798fa96e8c78aad637f772812a7d9f6e85
- SHA256
  
  28ea2a2652f1b206fa2c11b1f264fc3f0fdf60f45f21d3ba3ff9d50b7e118275
- SHA512
  
  e3cc81bdffe7245af8ef23b104c17259d05f08922cb1aa9b501e1da254451379bae244fef7e1e91f980c5552297f181fd03ddce76beb255df3f26172f3b4b6d4
- SSDEEP
  
  1536:zJF8FNK7mlIDCH6kN5cUh3Ooo7AhS+cYFQL4VrTflEiTGn:zM4CICHzXF3Oo/hSCegrrHGn
Score

10^/10

xworm zgrat persistence rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormzgratpersistencerattrojan

© 2018-2024

Terms | Privacy