xworm | d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae | Triage

Sharing

General

Target

d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe
Size

1.0MB
Sample

240522-vtepbsac4y
MD5

a17247378506d83bb0d37b5c1a0f654d
SHA1

5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d
SHA256

d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae
SHA512

21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275
SSDEEP

24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP

Score

10^/10

xworm evasion execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe
- Size
  
  1.0MB
- MD5
  
  a17247378506d83bb0d37b5c1a0f654d
- SHA1
  
  5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d
- SHA256
  
  d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae
- SHA512
  
  21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275
- SSDEEP
  
  24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP
Score

10^/10

xworm evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormevasionexecutionrattrojan