xworm | a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032 | Triage

Submit
Reports

Overview

overview

Static

static

Stand.Launchpad.exe

windows11-21h2-x64

Sharing

General

Target

Stand.Launchpad.exe
Size

101KB
Sample

240601-ed8dpshe74
MD5

1876cff7742d4df6149e00b4abf78425
SHA1

5e81c297afedde245a5e4f3835021659cf541f65
SHA256

a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032
SHA512

a6dfabf8ba1a7ffbe20fabb12cf964ea3eca04f2115a1f312c7e02daef0c3824947c15e53cab2cf91a01b6945d689d8ce8bb47eee4f39a4e0d8b62292c47722c
SSDEEP

1536:DYQxEiKnGBYp11Kf4eGPCbr4/Audh5F6NNCJOJxxV:DHmpb8f4eGabrqhANWOJrV

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Stand.Launchpad.exe

Resource

win11-20240508-en

xworm execution persistence rat trojan

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:43107

Name1442-43107.portmap.host:43107

Attributes

Install_directory
%Temp%
install_file
Stand.exe

Targets

- Target
  
  Stand.Launchpad.exe
- Size
  
  101KB
- MD5
  
  1876cff7742d4df6149e00b4abf78425
- SHA1
  
  5e81c297afedde245a5e4f3835021659cf541f65
- SHA256
  
  a83142b28be6ce5e81cd2fa3bdf2e8679d2d1b79de2eaa0df59fde1a0e2ee032
- SHA512
  
  a6dfabf8ba1a7ffbe20fabb12cf964ea3eca04f2115a1f312c7e02daef0c3824947c15e53cab2cf91a01b6945d689d8ce8bb47eee4f39a4e0d8b62292c47722c
- SSDEEP
  
  1536:DYQxEiKnGBYp11Kf4eGPCbr4/Audh5F6NNCJOJxxV:DHmpb8f4eGabrqhANWOJrV
Score

10^/10

xworm execution persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy