xworm | 73c337120a6135eb471d0620c60ec56e17334aa9252a6bb1b3369a9a850ec6b6 | Triage

Submit
Reports

Overview

overview

Static

static

WizClient.exe

windows10-1703-x64

Sharing

General

Target

WizClient.exe
Size

39KB
Sample

240522-zn76xagb9v
MD5

e9bc6625d69ab3f9d76a84c03aeb580b
SHA1

c151a39a2deaf6f17acd83a6da29e77367bd4431
SHA256

73c337120a6135eb471d0620c60ec56e17334aa9252a6bb1b3369a9a850ec6b6
SHA512

74757e721d6a5f6e9859f19ab4514621a73194dc08be2330f8cb12719d26e87c035fa85139ce6a1920b96a7bf17a187a8458da00e97fccec46eea16ad66bc485
SSDEEP

768:Q8U7CQWoEY/XYWF5Py9COEd6yOwh3IaF03m:QD7WdY/fFk9JS6yOwu002

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

WizClient.exe

Resource

win10-20240404-en

xworm execution persistence rat trojan

windows10-1703-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

192.168.68.100:5552

wiz.bounceme.net:6000

Mutex

1m6oAx39dcsOFnMD

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

aes.plain

Targets

- Target
  
  WizClient.exe
- Size
  
  39KB
- MD5
  
  e9bc6625d69ab3f9d76a84c03aeb580b
- SHA1
  
  c151a39a2deaf6f17acd83a6da29e77367bd4431
- SHA256
  
  73c337120a6135eb471d0620c60ec56e17334aa9252a6bb1b3369a9a850ec6b6
- SHA512
  
  74757e721d6a5f6e9859f19ab4514621a73194dc08be2330f8cb12719d26e87c035fa85139ce6a1920b96a7bf17a187a8458da00e97fccec46eea16ad66bc485
- SSDEEP
  
  768:Q8U7CQWoEY/XYWF5Py9COEd6yOwh3IaF03m:QD7WdY/fFk9JS6yOwu002
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy