xworm | e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577 | Triage

Submit
Reports

Overview

overview

Static

static

1

e01f8eba92...77.exe

windows7-x64

e01f8eba92...77.exe

windows10-2004-x64

Sharing

General

Target

e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe
Size

1.1MB
Sample

240522-cyynwshf4z
MD5

5394d35793386641283a5bb8eae359c2
SHA1

78a477bc165707e1f3d6b2ce2b70aa73ffbafa23
SHA256

e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577
SHA512

28dda180125dd48cfac34d37e5601a5fe47ac38f2d677fd15388602fb0526f402dbf5052327b9f2700d9ecf18e95003519accfd471abae6d780edf8188bb7764
SSDEEP

24576:dkNGq8rz/q6tsP05X+ef1XeMiQA+NLVtk2Otk:YGpz5X+e9TNE2O+

Score

10^/10

xworm evasion execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe

Resource

win7-20240221-en

xworm evasion execution rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe

Resource

win10v2004-20240508-en

xworm evasion execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe
- Size
  
  1.1MB
- MD5
  
  5394d35793386641283a5bb8eae359c2
- SHA1
  
  78a477bc165707e1f3d6b2ce2b70aa73ffbafa23
- SHA256
  
  e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577
- SHA512
  
  28dda180125dd48cfac34d37e5601a5fe47ac38f2d677fd15388602fb0526f402dbf5052327b9f2700d9ecf18e95003519accfd471abae6d780edf8188bb7764
- SSDEEP
  
  24576:dkNGq8rz/q6tsP05X+ef1XeMiQA+NLVtk2Otk:YGpz5X+e9TNE2O+
Score

10^/10

xworm evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables packed with or use KoiVM
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormevasionexecutionrattrojan

© 2018-2024

Terms | Privacy