xworm | 23bdba30edb09f2803c16726a4a81bdf71d441086ac962ce637ab1076439bacc | Triage

Submit
Reports

Overview

overview

Static

static

3

mmc.exe

windows7-x64

mmc.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

mmc.exe
Size

310KB
Sample

240613-zs9kjazdqg
MD5

a06f0a8a88646808591565846d009f39
SHA1

8afe7126b8575d99d0570267e41aa78ee94f3bdc
SHA256

23bdba30edb09f2803c16726a4a81bdf71d441086ac962ce637ab1076439bacc
SHA512

dff6e7edd754192a0d8437a94a8a5b1ee8f36df79596915e03f75a347be6397e111027a1b014307422cbc2229cfc5692e8cd69a28e7875166ba4c07a2f824152
SSDEEP

6144:JyH7xOc6H5c6HcT66vlmmOguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOkswbo:Ja6KLBwiZlzMB9xgndcP88DvvP4fHiX6

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

mmc.exe

Resource

win7-20240508-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

mmc.exe

Resource

win10v2004-20240611-en

xworm persistence rat trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Version

3.0

C2

limited-architect.gl.at.ply.gg:52522

Attributes

install_file
game.exe

aes.plain

Targets

- Target
  
  mmc.exe
- Size
  
  310KB
- MD5
  
  a06f0a8a88646808591565846d009f39
- SHA1
  
  8afe7126b8575d99d0570267e41aa78ee94f3bdc
- SHA256
  
  23bdba30edb09f2803c16726a4a81bdf71d441086ac962ce637ab1076439bacc
- SHA512
  
  dff6e7edd754192a0d8437a94a8a5b1ee8f36df79596915e03f75a347be6397e111027a1b014307422cbc2229cfc5692e8cd69a28e7875166ba4c07a2f824152
- SSDEEP
  
  6144:JyH7xOc6H5c6HcT66vlmmOguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOkswbo:Ja6KLBwiZlzMB9xgndcP88DvvP4fHiX6
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy