xworm | b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1 | Triage

Submit
Reports

Overview

overview

Static

static

1

upload.vbs

windows7-x64

upload.vbs

windows10-2004-x64

Sharing

General

Target

upload.vbs
Size

896KB
Sample

240523-t5m96she28
MD5

a227043beb151087c1798b6f9aaabd4c
SHA1

b2c4537386ed7931d9df29719f11f0f019e0f43a
SHA256

b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1
SHA512

1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp

Score

10^/10

xworm rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

upload.vbs

Resource

win7-20240221-en

xworm rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

upload.vbs

Resource

win10v2004-20240426-en

xworm rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  upload.vbs
- Size
  
  896KB
- MD5
  
  a227043beb151087c1798b6f9aaabd4c
- SHA1
  
  b2c4537386ed7931d9df29719f11f0f019e0f43a
- SHA256
  
  b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1
- SHA512
  
  1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e
- SSDEEP
  
  12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy