xworm | 2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b | Triage

Submit
Reports

Overview

overview

Static

static

1

2d1c1347b0...9b.exe

windows7-x64

2d1c1347b0...9b.exe

windows10-2004-x64

Sharing

General

Target

2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe
Size

1.4MB
Sample

240522-vtqftsac28
MD5

e84bb6efc8e0ebec1826b770cfb59bd9
SHA1

5fe35e0b634a95fcff997882839004a225a29bf1
SHA256

2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b
SHA512

562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810
SSDEEP

24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT

Score

10^/10

xworm evasion execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe

Resource

win7-20240508-en

xworm evasion execution rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe

Resource

win10v2004-20240426-en

xworm evasion execution rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe
- Size
  
  1.4MB
- MD5
  
  e84bb6efc8e0ebec1826b770cfb59bd9
- SHA1
  
  5fe35e0b634a95fcff997882839004a225a29bf1
- SHA256
  
  2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b
- SHA512
  
  562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810
- SSDEEP
  
  24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT
Score

10^/10

xworm evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormevasionexecutionrattrojan

© 2018-2024

Terms | Privacy