xworm | 7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5 | Triage

Sharing

General

Target

kam.cmd
Size

6KB
Sample

240523-t5tryshc6z
MD5

37b176c0abc29ec74dede88ced6e4cf1
SHA1

4aed169208162c12f26dfbe68e94e6781afcc47e
SHA256

7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5
SHA512

e8c36cf60ec4ac67dc60e30e8c60b58e12bd4ab522b8990faf038931bc5c93f41b144cc947847e23f09c163cf273f973d5162bf3f37b1c00f2ff7e19c54c5603
SSDEEP

192:qFS6GncJ3ovYJpHx+WHCNQWq/HncI1yiRj:qFS6Gq3AYJ/+AWqPncyX

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  kam.cmd
- Size
  
  6KB
- MD5
  
  37b176c0abc29ec74dede88ced6e4cf1
- SHA1
  
  4aed169208162c12f26dfbe68e94e6781afcc47e
- SHA256
  
  7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5
- SHA512
  
  e8c36cf60ec4ac67dc60e30e8c60b58e12bd4ab522b8990faf038931bc5c93f41b144cc947847e23f09c163cf273f973d5162bf3f37b1c00f2ff7e19c54c5603
- SSDEEP
  
  192:qFS6GncJ3ovYJpHx+WHCNQWq/HncI1yiRj:qFS6Gq3AYJ/+AWqPncyX
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan