xworm | 647b9e3f9d34915b466959d636c69edf1831e53c2c990bbdaee0c419e7ba2550 | Triage

Sharing

General

Target

XCliewnt.exe
Size

36KB
Sample

240524-q4byzaga8y
MD5

b334c63e36cc6f55d6fb14f551680e3f
SHA1

633f0a3c3a35bdedc07b8cef298cfaa77fda35ea
SHA256

647b9e3f9d34915b466959d636c69edf1831e53c2c990bbdaee0c419e7ba2550
SHA512

2e9bca62cfc3d9c498047ab959fd36d02bb85e6c552a74c875c64a11b3f9344d94a7068e0b9e469da223356075d47dd2d6bf023abd4e333e884717cc51a21fa8
SSDEEP

768:TQyEH5b7YJnhMbHh9Q3B7rh/Fu9y6OfhO/O+:rEhMJh2HhOx7r5Fu9y6OfZ+

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

147.185.221.19:61182

Mutex

9c34Jbpr4kfQUsrS

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  XCliewnt.exe
- Size
  
  36KB
- MD5
  
  b334c63e36cc6f55d6fb14f551680e3f
- SHA1
  
  633f0a3c3a35bdedc07b8cef298cfaa77fda35ea
- SHA256
  
  647b9e3f9d34915b466959d636c69edf1831e53c2c990bbdaee0c419e7ba2550
- SHA512
  
  2e9bca62cfc3d9c498047ab959fd36d02bb85e6c552a74c875c64a11b3f9344d94a7068e0b9e469da223356075d47dd2d6bf023abd4e333e884717cc51a21fa8
- SSDEEP
  
  768:TQyEH5b7YJnhMbHh9Q3B7rh/Fu9y6OfhO/O+:rEhMJh2HhOx7r5Fu9y6OfZ+
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan