xworm | 76831861c63423ead0c5e04f4a3d4c783e6f323b8588937f55b120661c9c667e | Triage

Submit
Reports

Overview

overview

Static

static

svhost.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

svhost.exe
Size

91KB
Sample

240613-qtmygs1cjd
MD5

e87462ae3b41631176f2ca83121adea8
SHA1

4aed680f845857cdf30f8f2d1a207131e59eb75f
SHA256

76831861c63423ead0c5e04f4a3d4c783e6f323b8588937f55b120661c9c667e
SHA512

d5e7cbfe0c12cf7bc6dc7355d74bf412356fff69a31b98c247e6588358b7a149acdd418b393b645eecdb50cd8da41fb5a982f8facbfc53ab3866eb70573c7dd9
SSDEEP

1536:jjrPiyRZ7xNS080myYnAtvD5ebJWaEpY3FV+6ja5OBy6pM2joAd3h:vrPiyX8ZyYmUbJXb3F45OkANjoSh

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

svhost.exe

Resource

win10v2004-20240611-en

xworm execution persistence rat trojan

windows10-2004-x64

14 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

location-involvement.gl.at.ply.gg:4325

<Xwormmm>:4325

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7168105056:AAFuCvmRFCu4d1tQpp-hoVahbWiR2XeHgHc/sendMessage?chat_id=1992635040

Targets

- Target
  
  svhost.exe
- Size
  
  91KB
- MD5
  
  e87462ae3b41631176f2ca83121adea8
- SHA1
  
  4aed680f845857cdf30f8f2d1a207131e59eb75f
- SHA256
  
  76831861c63423ead0c5e04f4a3d4c783e6f323b8588937f55b120661c9c667e
- SHA512
  
  d5e7cbfe0c12cf7bc6dc7355d74bf412356fff69a31b98c247e6588358b7a149acdd418b393b645eecdb50cd8da41fb5a982f8facbfc53ab3866eb70573c7dd9
- SSDEEP
  
  1536:jjrPiyRZ7xNS080myYnAtvD5ebJWaEpY3FV+6ja5OBy6pM2joAd3h:vrPiyX8ZyYmUbJXb3F45OkANjoSh
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy