xworm | 6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e | Triage

Submit
Reports

Overview

overview

Static

static

3

6f4fbb8059...7e.exe

windows7-x64

6f4fbb8059...7e.exe

windows10-2004-x64

Sharing

General

Target

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e.exe
Size

943KB
Sample

240521-rks9ksgh3w
MD5

40a1bbdd302c9737d10df6648e6db7dc
SHA1

5f9d1d4d3aea4a82542b54a84d0fa7822bd24d2c
SHA256

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e
SHA512

98fa809cb8b7fe598f07bc61658f39379cddbfbb44ebe4e1ae8882a9ead4406820585d51a0ce836d7f2e40e532acfde61c7ba7868175871f771503a813bd0f8b
SSDEEP

12288:XVTGAlfBpSGC9Ed/Ff6qVn60dP185uk+mzA0pRELuvg8IQjzek:XVT7rhCqd/N6qVlyug8IEaY81Pek

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e.exe

Resource

win7-20240419-en

xworm execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e.exe
- Size
  
  943KB
- MD5
  
  40a1bbdd302c9737d10df6648e6db7dc
- SHA1
  
  5f9d1d4d3aea4a82542b54a84d0fa7822bd24d2c
- SHA256
  
  6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e
- SHA512
  
  98fa809cb8b7fe598f07bc61658f39379cddbfbb44ebe4e1ae8882a9ead4406820585d51a0ce836d7f2e40e532acfde61c7ba7868175871f771503a813bd0f8b
- SSDEEP
  
  12288:XVTGAlfBpSGC9Ed/Ff6qVn60dP185uk+mzA0pRELuvg8IQjzek:XVT7rhCqd/N6qVlyug8IEaY81Pek
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy