xworm | ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb | Triage

Sharing

General

Target

MonkerV1GuiTest.bat
Size

294KB
Sample

240522-wb2xksag6t
MD5

2b235c5e792b8c3dcbc4ccd0ccff02de
SHA1

6dd8fac6545df5f64bda4e746f3921d9a072bb59
SHA256

ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb
SHA512

cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f
SSDEEP

6144:6pA2upleIJqLKXd33GCpiMcOa+7seZEN3CbryZPhvAF8:6pAdpwoqa93GO2Oa+tON3CbGvf

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

135.125.21.87:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  MonkerV1GuiTest.bat
- Size
  
  294KB
- MD5
  
  2b235c5e792b8c3dcbc4ccd0ccff02de
- SHA1
  
  6dd8fac6545df5f64bda4e746f3921d9a072bb59
- SHA256
  
  ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb
- SHA512
  
  cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f
- SSDEEP
  
  6144:6pA2upleIJqLKXd33GCpiMcOa+7seZEN3CbryZPhvAF8:6pAdpwoqa93GO2Oa+tON3CbGvf
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan