xworm | 27c1530c5875b2dcc4de80b67e0803c0a625814bac19f6a1c7f9046b381d5fec | Triage

Submit
Reports

Overview

overview

Static

static

1

New folder (4).rar

windows7-x64

3

New folder (4).rar

windows10-2004-x64

Sharing

General

Target

New folder (4).rar
Size

42.2MB
Sample

240609-r4zwgacc85
MD5

1a729f63c1b21231cef7ebae60c93ed3
SHA1

9e0ba9a489462462a54e0c869df46898e3c7c5c3
SHA256

27c1530c5875b2dcc4de80b67e0803c0a625814bac19f6a1c7f9046b381d5fec
SHA512

1e475a7458e5ebcedec3f74c13d1337df16c8cfad40d00cdfc25c21c1403d9dc78c4f42af67775cd9e91095fb845ff27ee0c2cb3c2fb706819ec134f57368d1f
SSDEEP

786432:ThdbPAgM6NRPHcRxRLMlY/rJlKtM0N7bHQuLrOyRksO7v9:T0Z6N25UErJlKtf7J/OyRzw1

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

New folder (4).rar

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

New folder (4).rar

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Targets

- Target
  
  New folder (4).rar
- Size
  
  42.2MB
- MD5
  
  1a729f63c1b21231cef7ebae60c93ed3
- SHA1
  
  9e0ba9a489462462a54e0c869df46898e3c7c5c3
- SHA256
  
  27c1530c5875b2dcc4de80b67e0803c0a625814bac19f6a1c7f9046b381d5fec
- SHA512
  
  1e475a7458e5ebcedec3f74c13d1337df16c8cfad40d00cdfc25c21c1403d9dc78c4f42af67775cd9e91095fb845ff27ee0c2cb3c2fb706819ec134f57368d1f
- SSDEEP
  
  786432:ThdbPAgM6NRPHcRxRLMlY/rJlKtM0N7bHQuLrOyRksO7v9:T0Z6N25UErJlKtf7J/OyRzw1
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy