xworm | 481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172 | Triage

Submit
Reports

Overview

overview

Static

static

Xworm v5.6.1.exe

windows10-2004-x64

Sharing

General

Target

Xworm v5.6.1.exe
Size

45KB
Sample

240614-2kdt1ayfre
MD5

b419e672ce09e76bf687726eb487ac47
SHA1

082df415a432d8d0547bc6e73bbce82233a89990
SHA256

481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172
SHA512

b77679b6a11b83cdf222af9b5d54832152eb11b4b16ca1c1a672a53accd5ae111c1ba8eb15e777d8fcc5719c6b7e67b2a816536c03b4a96e711ffe9715b853b7
SSDEEP

768:RIurlDweV3OOVbADM9W1v9NfgkBpuAuREcNcFylVvD4xeVhKfkvLbFEPa9pva76P:RIADweQKADMkV9GkSAcRaclZrOM/FJ9l

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Xworm v5.6.1.exe

Resource

win10v2004-20240611-en

xworm execution persistence rat trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

india-southampton.gl.at.ply.gg:20350

Mutex

CejzkeFsbXIiTGtT

Attributes

Install_directory
%ProgramData%
install_file
USB Update.exe

aes.plain

Targets

- Target
  
  Xworm v5.6.1.exe
- Size
  
  45KB
- MD5
  
  b419e672ce09e76bf687726eb487ac47
- SHA1
  
  082df415a432d8d0547bc6e73bbce82233a89990
- SHA256
  
  481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172
- SHA512
  
  b77679b6a11b83cdf222af9b5d54832152eb11b4b16ca1c1a672a53accd5ae111c1ba8eb15e777d8fcc5719c6b7e67b2a816536c03b4a96e711ffe9715b853b7
- SSDEEP
  
  768:RIurlDweV3OOVbADM9W1v9NfgkBpuAuREcNcFylVvD4xeVhKfkvLbFEPa9pva76P:RIADweQKADMkV9GkSAcRaclZrOM/FJ9l
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy