xworm | c61fa2268af1a99cea40efc7d65dacb22e9f848ce1095f6b71ff177d5a428eca | Triage

Sharing

General

Target

c61fa2268af1a99cea40efc7d65dacb22e9f848ce1095f6b71ff177d5a428eca.zip
Size

144KB
Sample

240524-ml58badg8s
MD5

ce77e911a5daeed85e29270a4ee2bc51
SHA1

d30f5fe4e4d3c7acc9b3a5540f4fd44983bc94d3
SHA256

c61fa2268af1a99cea40efc7d65dacb22e9f848ce1095f6b71ff177d5a428eca
SHA512

b201cfeda57934abf70e141db1bb8820d083c845ca0eb2e6484f3245f1227801daa853fd66cbce263799dfb6a39f3316a80b0b0d452e34f81b487927e9ab4771
SSDEEP

3072:Qt+rUKfEpEaDv5Z+iVbqc3eTSTPlkW6RYBnDspXsRXlfMlo0yk7c:Qt+rdEJv5Z+i8cOTU+W66B49sDMlj/7c

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

83.143.112.35:7000

Mutex

zXfBo4LwCYB4EEgV

Attributes

Install_directory
%Temp%
install_file
Google chrome.exe
telegram
https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks

aes.plain

Targets

- Target
  
  Moon injector/Moon injector.bat
- Size
  
  195KB
- MD5
  
  6eabc08b51da854cc3ac85f85952a16a
- SHA1
  
  bd5e54e73a40d1330fc4e919adc2f081ece29d85
- SHA256
  
  9489825845b0248a40b35b24d6f80b79383a9edaf08e66e09d57c75f7fe56f1d
- SHA512
  
  816d4eb783e7b77e374d05a57b512f8945b1581ec2a9a363fcece0eb15ca12928a6c3a7eee8f0007c878a9a476309bba5e8806167bb025892173d6a49305347a
- SSDEEP
  
  3072:MIml5Q8bTXiMVfTOJS4b/ZxIEp4v4bSfo693+ag6qR97njpfV/c+Xp7JkRJf01M6:Nwf+nb/8EEq6I6kDlVq2MTK9SXn63
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan