xworm

Resubmissions

21-05-2024 03:26

240521-dy8pjage2w 10

21-05-2024 03:11

240521-dplteagb61 1

Sharing

Copy URL

Twitter E-mail

General

Target

https://files.catbox.moe/vbvhg6.lzh
Sample

240521-dy8pjage2w

Score

10^/10

Malware Config

Extracted

Family

xworm

futurist2.ddns.net:20506

Attributes

Install_directory
%LocalAppData%
install_file
XClient.exe

Targets

- Target
  
  https://files.catbox.moe/vbvhg6.lzh
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

urlscan1

behavioral1