xworm | 1d6473b8d36b5e67caac53fee7e4461b0d48781199da1ca1bf984bea1a4fcef8 | Triage

Submit
Reports

Overview

overview

Static

static

3

rootcute.exe

windows10-1703-x64

Sharing

General

Target

rootcute.exe
Size

448KB
Sample

240614-2yz96atcmp
MD5

f81dc14bd1106cbe4bfc7852d72e1f9b
SHA1

a983323d2dbdf808faa0868cdc85ec9d2a86c628
SHA256

1d6473b8d36b5e67caac53fee7e4461b0d48781199da1ca1bf984bea1a4fcef8
SHA512

3f7b9024fb3e62cd4c9ce193314cb24dfacd724c50fb5e3aa647e19f719a40008e321bf1ed904b049e72c1a5fd0903342f3424f8f538de5fd7d7c860f6d89fb0
SSDEEP

6144:ndqxtYhoUcF8VwrOPG9081hTd+f8QuLODOcF4cZGzg3Hbh6TXGc/ZOF/eiTA18vz:ewHwCc3hTd+f8tbg9YzvTWcUei8Gr

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

rootcute.exe

Resource

win10-20240611-en

xworm execution persistence rat trojan

windows10-1703-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.0

C2

available-music.gl.at.ply.gg:43415

Mutex

VOQ8XUyxR3mHekGx

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

C2

done-declared.gl.at.ply.gg:43143

Attributes

install_file
USB.exe

Targets

- Target
  
  rootcute.exe
- Size
  
  448KB
- MD5
  
  f81dc14bd1106cbe4bfc7852d72e1f9b
- SHA1
  
  a983323d2dbdf808faa0868cdc85ec9d2a86c628
- SHA256
  
  1d6473b8d36b5e67caac53fee7e4461b0d48781199da1ca1bf984bea1a4fcef8
- SHA512
  
  3f7b9024fb3e62cd4c9ce193314cb24dfacd724c50fb5e3aa647e19f719a40008e321bf1ed904b049e72c1a5fd0903342f3424f8f538de5fd7d7c860f6d89fb0
- SSDEEP
  
  6144:ndqxtYhoUcF8VwrOPG9081hTd+f8QuLODOcF4cZGzg3Hbh6TXGc/ZOF/eiTA18vz:ewHwCc3hTd+f8tbg9YzvTWcUei8Gr
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy