xworm | 7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

173KB
Sample

240525-pab67shg74
MD5

e53cfc4155bf01620aaf3ef5041116f2
SHA1

50b4d70680945e7e5806de76b47d56d1fc2af985
SHA256

7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
SHA512

63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
SSDEEP

3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20240508-en

xworm execution persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20240426-en

xworm execution persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

advertise-located.gl.at.ply.gg:54921

19.ip.gl.ply.gg:54921

Attributes

Install_directory
%AppData%
install_file
cmd.exe

Targets

- Target
  
  XClient.exe
- Size
  
  173KB
- MD5
  
  e53cfc4155bf01620aaf3ef5041116f2
- SHA1
  
  50b4d70680945e7e5806de76b47d56d1fc2af985
- SHA256
  
  7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
- SHA512
  
  63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
- SSDEEP
  
  3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy