xworm | 759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d | Triage

Submit
Reports

Overview

overview

Static

static

3

combined.exe

windows10-1703-x64

Sharing

General

Target

combined.exe
Size

11.4MB
Sample

240522-w19zgsbh88
MD5

aaa99d2d8a50c6da60aeb620fb3aa340
SHA1

c734c86f06640c029b6a0521ac59981ac2ad3c9b
SHA256

759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d
SHA512

d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337
SSDEEP

196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL

Score

10^/10

xworm evasion execution persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

combined.exe

Resource

win10-20240404-en

xworm evasion execution persistence rat trojan upx

windows10-1703-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

engine-romania.gl.at.ply.gg:37581

Attributes

Install_directory
%AppData%
install_file
discord.exe

Targets

- Target
  
  combined.exe
- Size
  
  11.4MB
- MD5
  
  aaa99d2d8a50c6da60aeb620fb3aa340
- SHA1
  
  c734c86f06640c029b6a0521ac59981ac2ad3c9b
- SHA256
  
  759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d
- SHA512
  
  d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337
- SSDEEP
  
  196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL
Score

10^/10

xworm evasion execution persistence rat trojan upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

Process Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormevasionexecutionpersistencerattrojanupx

© 2018-2024

Terms | Privacy