xworm | 68f7a4ce68d84bdde71cb6543d90e5e0e08602db22f9b6388d31876c601fac31 | Triage

Submit
Reports

Overview

overview

Static

static

3

GetRyverV1.5.exe

windows7-x64

1

GetRyverV1.5.exe

windows10-2004-x64

Sharing

General

Target

GetRyverV1.5.exe
Size

89KB
Sample

240609-mazw6ahc3v
MD5

5f0f7fa98655c618b7fb9bce8e01dca0
SHA1

b13e2ec9f71f916b4934200901a1bd85a7e19423
SHA256

68f7a4ce68d84bdde71cb6543d90e5e0e08602db22f9b6388d31876c601fac31
SHA512

8c99f654d7e6a997861e3a6f01820836dc4e43bffed604e804fae06112d259f85658d1670709e5a7341d2f15ac00639f259eea724e6a618ac341bb9f9fd245d0
SSDEEP

1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwiOp:P7DhdC6kzWypvaQ0FxyNTBfii

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

GetRyverV1.5.exe

Resource

win7-20240221-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

GetRyverV1.5.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

1Wjei6X4VHgtDydY

Attributes

Install_directory
%AppData%
install_file
dlhost.exe
pastebin_url
https://pastebin.com/raw/pw1j2xqz

aes.plain

Targets

- Target
  
  GetRyverV1.5.exe
- Size
  
  89KB
- MD5
  
  5f0f7fa98655c618b7fb9bce8e01dca0
- SHA1
  
  b13e2ec9f71f916b4934200901a1bd85a7e19423
- SHA256
  
  68f7a4ce68d84bdde71cb6543d90e5e0e08602db22f9b6388d31876c601fac31
- SHA512
  
  8c99f654d7e6a997861e3a6f01820836dc4e43bffed604e804fae06112d259f85658d1670709e5a7341d2f15ac00639f259eea724e6a618ac341bb9f9fd245d0
- SSDEEP
  
  1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwiOp:P7DhdC6kzWypvaQ0FxyNTBfii
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy