xworm | 1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2 | Triage

Submit
Reports

Overview

overview

Static

static

1fd7123217...cs.exe

windows7-x64

1fd7123217...cs.exe

windows10-2004-x64

Sharing

General

Target

1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2_NeikiAnalytics
Size

297KB
Sample

240521-jwkgtadg44
MD5

37777b049a8d9fa1a9395478f453cb80
SHA1

ca02bfe0836a20578d64877c37ccae93f512367d
SHA256

1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2
SHA512

419ca6e4452597d9ba651cb93912dff01a56c2aaf81a31f8f1708f9d53551f938bf7626c1553e71a6159c0eddef9a6924b04e1a901dc87911f364bfedbf5fd39
SSDEEP

6144:m3mFWIDUl5bKkmWi053mFWIDUl5bKkmWi0JYGh5:m3mFbhkmWi053mFbhkmWi0/z

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2_NeikiAnalytics.exe

Resource

win7-20240215-en

xworm execution persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2_NeikiAnalytics.exe

Resource

win10v2004-20240426-en

xworm execution persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

77.51.217.123:5552

Attributes

Install_directory
%AppData%
install_file
Microsoft Network Realtime Inspection Service.exe
telegram
https://api.telegram.org/bot6839974672:AAH9skWg6wzrK69lQAYnjPEGUFTBPsO_3nc/sendMessage?chat_id=6983445707

Targets

- Target
  
  1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2_NeikiAnalytics
- Size
  
  297KB
- MD5
  
  37777b049a8d9fa1a9395478f453cb80
- SHA1
  
  ca02bfe0836a20578d64877c37ccae93f512367d
- SHA256
  
  1fd71232174da2918c3417bbe1be55ce6491b5920a1447fdbc7d48914d75a8d2
- SHA512
  
  419ca6e4452597d9ba651cb93912dff01a56c2aaf81a31f8f1708f9d53551f938bf7626c1553e71a6159c0eddef9a6924b04e1a901dc87911f364bfedbf5fd39
- SSDEEP
  
  6144:m3mFWIDUl5bKkmWi053mFWIDUl5bKkmWi0JYGh5:m3mFbhkmWi053mFbhkmWi0/z
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy