xworm | b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141 | Triage

Sharing

General

Target

b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141.exe
Size

1.1MB
Sample

240522-r383raeg7z
MD5

78bd2bd5c0e94fa766e367a168bb4533
SHA1

d7ea5bca4e50e39c6dca8c7b6831d7600c3ce2bb
SHA256

b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141
SHA512

1a656e55ad828cc27956446a2d5e4d74b01d56d373aec3bb64c86d5239f4bebb225dc04af1bfebc8d7738c70578cc860e395992faddfbf69a9811c3871a8fe5b
SSDEEP

24576:x8BmfWBiORmU0z9TY4VE6tH/R5Hn8AFFsY7bP78:uUjH/zfLsqP78

Score

10^/10

xworm evasion execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141.exe
- Size
  
  1.1MB
- MD5
  
  78bd2bd5c0e94fa766e367a168bb4533
- SHA1
  
  d7ea5bca4e50e39c6dca8c7b6831d7600c3ce2bb
- SHA256
  
  b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141
- SHA512
  
  1a656e55ad828cc27956446a2d5e4d74b01d56d373aec3bb64c86d5239f4bebb225dc04af1bfebc8d7738c70578cc860e395992faddfbf69a9811c3871a8fe5b
- SSDEEP
  
  24576:x8BmfWBiORmU0z9TY4VE6tH/R5Hn8AFFsY7bP78:uUjH/zfLsqP78
Score

10^/10

xworm evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormevasionexecutionrattrojan