xworm | 958c2c409b7f77dd4e60fb4995ec70331c7c5170285ac680b10c636ebb3f8692 | Triage

Submit
Reports

Overview

overview

Static

static

3

2bd21cf977...9a.exe

windows7-x64

2bd21cf977...9a.exe

windows10-2004-x64

Sharing

General

Target

801de46b2c66cd9de4e42994e453b705.bin
Size

16.2MB
Sample

240608-dyyjkahb84
MD5

9762d7ff3844a39c96d7e47d1cf09400
SHA1

58fea14cc4e95f078c4b14e4c50b60ff5653b585
SHA256

958c2c409b7f77dd4e60fb4995ec70331c7c5170285ac680b10c636ebb3f8692
SHA512

06d97cde90e6011adcdd4c04b711d7b72f9081b7bae1bfa38b05e2ab7377221069ed875d9cc729d817379a6990c833074a83acb759037082532c768e693385a3
SSDEEP

393216:FIUhUKnp+ufkAI9GLRA1msFZUjHGdyqvQI75ortLCwbOojKVDb:0mp+tT9/ZamGI7I5JbOojqDb

Score

10^/10

xworm pyinstaller rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a.exe

Resource

win7-20240508-en

xworm pyinstaller rat trojan

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a.exe

Resource

win10v2004-20240508-en

xworm pyinstaller rat spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

185.91.127.220:7000

Mutex

J7nl5MwCxTq9hrOG

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a.exe
- Size
  
  16.2MB
- MD5
  
  801de46b2c66cd9de4e42994e453b705
- SHA1
  
  e6f7f7d4e06c9948d062a5bad25da7d6f2ce1199
- SHA256
  
  2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a
- SHA512
  
  7a84ecc5e7f4213a229556d75869c14ab23f95cfcf0788869c102ce5a364c3d108ec5eff4e39c8f8cd10cd76f53006b5372530b7b03dc96a43211e4021041158
- SSDEEP
  
  393216:J3e2a9uurW2iUDWyoPmhPl61L/b/GeROY5CFPnaTTkZE:J309Lrj1rhN61TyRPuTk
Score

10^/10

xworm pyinstaller rat trojan spyware stealer
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpyinstallerrattrojan

behavioral2

xwormpyinstallerratspywarestealertrojan

© 2018-2024

Terms | Privacy