xworm | 945398c017348a3ddd4dbea5c7920f120ce2bed2a2bad117ad4be7258668218a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

20240517d9...ch.exe

windows7-x64

8

20240517d9...ch.exe

windows10-2004-x64

Sharing

General

Target

20240517d9456bbb0c30222c673c9205375f5859snatch.bin
Size

4.8MB
Sample

240517-vqxezahh8t
MD5

d9456bbb0c30222c673c9205375f5859
SHA1

1d99cfb5272f0c07ffba97135073968fc1454f88
SHA256

945398c017348a3ddd4dbea5c7920f120ce2bed2a2bad117ad4be7258668218a
SHA512

f18dfdd983ff46a60fbd8102aba350971502fa3c2c78f5dcec09893d38e7369134de6ea1d490f87314fcb885981313d58306b8e8a5fd26c1664e877cf1910f35
SSDEEP

49152:xJqRbtKTC/Mx7NieQvCs7VOxDIt5E9id0HoCYtnl/4z6PZN:b8JKTXx7Ns70x2EPmh4O

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

20240517d9456bbb0c30222c673c9205375f5859snatch.exe

Resource

win7-20240508-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

20240517d9456bbb0c30222c673c9205375f5859snatch.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Targets

- Target
  
  20240517d9456bbb0c30222c673c9205375f5859snatch.bin
- Size
  
  4.8MB
- MD5
  
  d9456bbb0c30222c673c9205375f5859
- SHA1
  
  1d99cfb5272f0c07ffba97135073968fc1454f88
- SHA256
  
  945398c017348a3ddd4dbea5c7920f120ce2bed2a2bad117ad4be7258668218a
- SHA512
  
  f18dfdd983ff46a60fbd8102aba350971502fa3c2c78f5dcec09893d38e7369134de6ea1d490f87314fcb885981313d58306b8e8a5fd26c1664e877cf1910f35
- SSDEEP
  
  49152:xJqRbtKTC/Mx7NieQvCs7VOxDIt5E9id0HoCYtnl/4z6PZN:b8JKTXx7Ns70x2EPmh4O
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy