xworm | eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50 | Triage

Submit
Reports

Overview

overview

Static

static

2024-05-22...ar.exe

windows7-x64

2024-05-22...ar.exe

windows10-2004-x64

Sharing

General

Target

2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear
Size

133KB
Sample

240522-bzs95agd3s
MD5

1e06d1f23f474c5e6ba0f279d3d3dfac
SHA1

307c847fafc7453a1050d85b6099b113a2790ef0
SHA256

eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50
SHA512

d1d5302d01fff58479385153160ab271b15f87c87cb5d7ab1df153d818ee9f109fcf8318c7622b068bb4344ab2261aca60c571e2e642d0f84e01bf15ade3c5fb
SSDEEP

3072:J+oM/FJZdq/Fk96ytO/fXM+lmsolAIrRuw+mqv9j1MWLQI:C/FJaNk9Ts8+lDAA

Score

10^/10

xworm persistence rat trojan

Static task

static1

5 signatures

Behavioral task

behavioral1

Sample

2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe

Resource

win7-20240221-en

xworm persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe

Resource

win10v2004-20240508-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

103.161.170.251:7000

Mutex

O5WJMXQSSZKD5Ijn

Attributes

Install_directory
%Temp%
install_file
khiet.exe
telegram
https://api.telegram.org/bot6833541180:AAEc_LLwKd7Jex1zaN5vTaLg13uuFjIHQEU/sendMessage?chat_id=5747667034

aes.plain

Targets

- Target
  
  2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear
- Size
  
  133KB
- MD5
  
  1e06d1f23f474c5e6ba0f279d3d3dfac
- SHA1
  
  307c847fafc7453a1050d85b6099b113a2790ef0
- SHA256
  
  eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50
- SHA512
  
  d1d5302d01fff58479385153160ab271b15f87c87cb5d7ab1df153d818ee9f109fcf8318c7622b068bb4344ab2261aca60c571e2e642d0f84e01bf15ade3c5fb
- SSDEEP
  
  3072:J+oM/FJZdq/Fk96ytO/fXM+lmsolAIrRuw+mqv9j1MWLQI:C/FJaNk9Ts8+lDAA
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables using Telegram Chat Bot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy