xworm | 87f9edf63f5ed75ec7f23f9837062a50b34ae7b60b53f93836c864eedf592055 | Triage

Submit
Reports

Overview

overview

Static

static

3

bad53d6e66...76.exe

windows7-x64

bad53d6e66...76.exe

windows10-2004-x64

Sharing

General

Target

79a3854fb0bddb26135bc0311f21ed76.bin
Size

461KB
Sample

240615-bzpxpsvara
MD5

bf1e10401acbe5ea25fba3cab2476434
SHA1

fb7688a1ff6383bfda95b7c7bf460021ef857db1
SHA256

87f9edf63f5ed75ec7f23f9837062a50b34ae7b60b53f93836c864eedf592055
SHA512

9862b10f0bfab0fd145b67da74ae4b095e984e7be85171a0bd41e86944768c4f77be3cfac080199006ad7c7e296befc3198c8f3b6760bc5b9c07eba6df51fd49
SSDEEP

12288:ZYwfc+MSr8+6MqzdLthaLkPxNAWo0xjebtwYvh:PkcGM4JQuH1vjqLvh

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

Resource

win7-20240221-en

xworm execution rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76.exe
- Size
  
  493KB
- MD5
  
  79a3854fb0bddb26135bc0311f21ed76
- SHA1
  
  8c352e1807c00bd32c7cde3e0ece9bf33b6db927
- SHA256
  
  bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76
- SHA512
  
  2386b686b351f793d86db09e4a9a9bf39ffd0c7ec74ecc7e36ad78beeb092c97d0213dc628332df73856527768d95f507bc19e4b195bd06eec5305ac06f8d896
- SSDEEP
  
  12288:O8yCK2xrOodLv2npXmznJHTWFB40fJH9TaCf4wrDjbj:XyC5UpXmzJWLt9Ta64Ofb
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy