xworm | 7cd33bcb83388587511f2742c413c1d92c1f0ccd4484796f3506e4e707272961 | Triage

Sharing

General

Target

RyverV1.exe
Size

34KB
Sample

240608-pwj4yabg3y
MD5

40dcb13aad89903202f4b9b3f7f0e540
SHA1

dd2b289bafd1d8b4434829b1c840ddd42ed482cd
SHA256

7cd33bcb83388587511f2742c413c1d92c1f0ccd4484796f3506e4e707272961
SHA512

98031954a601d94e1a60360266b5cf2f9c8b6ca483a330d7fe4d1582c3704fd5847b1d38a34935bf25b50553f4acab0d4e947a10f691404cb09144633a4c3cd3
SSDEEP

768:UtH6rNd7AtFPNhzIgtoFT9Fy9YcOjhg/JcB5:UtuNJyF0gto3Fy9YcOjKBcB5

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

192.168.68.71:7000

192.168.68.1:7000

Mutex

CzgNqDo2UQE0MivR

Attributes

Install_directory
%AppData%
install_file
Ryver Attach.exe

aes.plain

Targets

- Target
  
  RyverV1.exe
- Size
  
  34KB
- MD5
  
  40dcb13aad89903202f4b9b3f7f0e540
- SHA1
  
  dd2b289bafd1d8b4434829b1c840ddd42ed482cd
- SHA256
  
  7cd33bcb83388587511f2742c413c1d92c1f0ccd4484796f3506e4e707272961
- SHA512
  
  98031954a601d94e1a60360266b5cf2f9c8b6ca483a330d7fe4d1582c3704fd5847b1d38a34935bf25b50553f4acab0d4e947a10f691404cb09144633a4c3cd3
- SSDEEP
  
  768:UtH6rNd7AtFPNhzIgtoFT9Fy9YcOjhg/JcB5:UtuNJyF0gto3Fy9YcOjKBcB5
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan