xworm | c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0 | Triage

Sharing

General

Target

c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0.exe
Size

1.2MB
Sample

240522-r2taxaef79
MD5

1e1f743c9d9a9d5496581c66c1c4809f
SHA1

4424d0964e994c29bf0df195275b0dcd8044a265
SHA256

c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0
SHA512

9f3021a812d28fce994b24c2ed4700b895b6a86b4480f93831423d737e95ba473fb3427fff303dc16c23ebae4029bd7810bbbef79a941f4548074517c8bcf2fc
SSDEEP

24576:tgayxRTdHecknPKQ5w1UxudAs2OoCK15r78W61SgFT2sBGa2:n/nxQK15S3FT2sUa2

Score

10^/10

xworm evasion execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0.exe
- Size
  
  1.2MB
- MD5
  
  1e1f743c9d9a9d5496581c66c1c4809f
- SHA1
  
  4424d0964e994c29bf0df195275b0dcd8044a265
- SHA256
  
  c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0
- SHA512
  
  9f3021a812d28fce994b24c2ed4700b895b6a86b4480f93831423d737e95ba473fb3427fff303dc16c23ebae4029bd7810bbbef79a941f4548074517c8bcf2fc
- SSDEEP
  
  24576:tgayxRTdHecknPKQ5w1UxudAs2OoCK15r78W61SgFT2sBGa2:n/nxQK15S3FT2sUa2
Score

10^/10

xworm evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormevasionexecutionrattrojan