xworm | 2c12323597f6a02460508f622dd3a14f9962b1600e9d8bc8bc438ae39ad59e5b | Triage

Sharing

General

Target

2c12323597f6a02460508f622dd3a14f9962b1600e9d8bc8bc438ae39ad59e5b.zip
Size

432KB
Sample

240614-w55wbssblc
MD5

58537eff71530ae54b78a6344e0a4fa9
SHA1

01df4d272ebd9f1b1b9229aba8564a4b8ee15167
SHA256

2c12323597f6a02460508f622dd3a14f9962b1600e9d8bc8bc438ae39ad59e5b
SHA512

20f4e70c4724da9638ba5978653ef3e9f7eedb22e07a5eec5d00d00fdb52210d2fdb80dc38b0f1323a0a2004fb63033ba9de37110683a28773113b435f775971
SSDEEP

768:AWi42MIOfOpLtC3rJmhkNMVDu3/GJ/Rs5xjkXR:ATMIXLtcKDfqbj0

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

estrella1221.duckdns.org:7000

Mutex

eWvWd8BtCFGhQzWH

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  paymentd.vbs
- Size
  
  400.0MB
- MD5
  
  f902b6c0fc7c5c568eeebd92ff6ad433
- SHA1
  
  eaf2be1a83e493dfcbae2b633bcb950ba1cbfef1
- SHA256
  
  b7cdf571c5dd8199208581dc84a0c2e47f9ebaafc9e1da6e910dbc7333fb296b
- SHA512
  
  00875d2ee215f6cc72111370446f3bff10deddb51aa1ab5282a6e8146083443ece8e216042437fb967422d486ee8c16e6e9fe4eaddf1cce4aaa644fd265927b0
- SSDEEP
  
  768:ma1Fw72kwrqA9vsCP7pkYeDIOcJpzazqeWzR4hw76GiWiQgFGdM+V:mafw72k87leVcK+nVYE97gFGdM+V
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan