xworm

General

Target

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
Size

724KB
Sample

240524-bgzzysff41
MD5

6e1e63e97c09758e3db18ea31bd95284
SHA1

6f4a188d43122d22a14459123764a094ed56b37c
SHA256

2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
SHA512

0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
SSDEEP

12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.27.41:7000

Mutex

9ZF9ZsOZGh1T1r1n

Attributes

Install_directory
%Public%
install_file
csrss.exe

aes.plain

Targets

- Target
  
  2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
- Size
  
  724KB
- MD5
  
  6e1e63e97c09758e3db18ea31bd95284
- SHA1
  
  6f4a188d43122d22a14459123764a094ed56b37c
- SHA256
  
  2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
- SHA512
  
  0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
- SSDEEP
  
  12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables (downlaoders) containing URLs to raw contents of a paste
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables (downlaoders) containing URLs to raw contents of a paste

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2