xworm | e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7 | Triage

Submit
Reports

Overview

overview

Static

static

3

e43ce5c79d...b7.exe

windows7-x64

e43ce5c79d...b7.exe

windows10-2004-x64

Sharing

General

Target

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
Size

726KB
Sample

240523-cl33vaac37
MD5

0e9969044f657b12f4cdad27254e5f91
SHA1

41d8196fd7520fa391361a39e3d1c6e6f124f07e
SHA256

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7
SHA512

2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284
SSDEEP

12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

Resource

win7-20240220-en

xworm execution rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe
- Size
  
  726KB
- MD5
  
  0e9969044f657b12f4cdad27254e5f91
- SHA1
  
  41d8196fd7520fa391361a39e3d1c6e6f124f07e
- SHA256
  
  e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7
- SHA512
  
  2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284
- SSDEEP
  
  12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy