xworm | 126768651264590e0c0ea854824c503c0ad8c4865a96a5e77ec1b8a68c7f1f2a | Triage

Submit
Reports

Overview

overview

Static

static

Loader/Loader.exe

windows10-2004-x64

Sharing

General

Target

Loader (1).zip
Size

37KB
Sample

240522-tr655agh7z
MD5

462406389015b8dd3bdb6b1d38cc11d2
SHA1

34b1c21e6490b5325e1db7804ef49cbd439c238b
SHA256

126768651264590e0c0ea854824c503c0ad8c4865a96a5e77ec1b8a68c7f1f2a
SHA512

6a716ea439e40a97cc26d87392d407df25840a6c28f7179b6e0acba63461dd16e10f6663b8f7e1883067e358e1edff1757a1d83f0b3b174e199f7ba9919823f1
SSDEEP

768:8Wb6FhhS1HMRg1ai90d9ykWl+GkNCSocLuAcazpU4hZ1LVY/QC:/2C8MKqkWlsFdU4hZtVCQC

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Loader/Loader.exe

Resource

win10v2004-20240226-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:26958

rule-lit.gl.at.ply.gg:26958

winter-waterfall-41970.pktriot.net:26958

prices-hospitals.gl.at.ply.gg:26958

Attributes

Install_directory
%AppData%
install_file
GoogleDefenderDebuggerx64.exe

Targets

- Target
  
  Loader/Loader.exe
- Size
  
  65KB
- MD5
  
  953c5ee665a24382859895c809863f71
- SHA1
  
  bd5d449219e4ac4e85fd7bb73d7d01b25510ccb1
- SHA256
  
  4b0cb85d10fc187ab5e035b7d645b16e454c82a352cf5f2203ababb0b891b02c
- SHA512
  
  244509e35905d70df2f660df27b1314afa2dbc3e43eedc27ed96fdffc405ca92ada9a1f9c39dabd0a74eadb0d54b8de65386459e92b5a28d57b3cdb93246be36
- SSDEEP
  
  1536:iYkFPI9d/06aXbJp5vUMyuw62POmi7ULfGn:2q0VbJpFVYOV7UjGn
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy