xworm | 7734c88d0f1a588938bacf0505aaf50595b26cbc880f005f683990749822a81e | Triage

Sharing

General

Target

Qoexqml.exe
Size

4.4MB
Sample

240615-fr2zhszcjd
MD5

f3164e332fd3142d519da1d7471cbbfb
SHA1

130cea5d4a68ccbefc9b2e7809ef0d33fee6fc7a
SHA256

7734c88d0f1a588938bacf0505aaf50595b26cbc880f005f683990749822a81e
SHA512

b031a5a5a476aa390cd2ab7f1dd779030da3c49560f984a1e7282e3ee52b4aaba0c4176d0de21eaf090b8fe48bfcd2375780e8842e59dc3c681dca74e7915e08
SSDEEP

24576:UIm4HEUTx3mDR6aj5NoJMe+30YaidT2sGbIReLzJs2tSPdSk/Ze6VX/JaYHQfaGf:d

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

- Target
  
  Qoexqml.exe
- Size
  
  4.4MB
- MD5
  
  f3164e332fd3142d519da1d7471cbbfb
- SHA1
  
  130cea5d4a68ccbefc9b2e7809ef0d33fee6fc7a
- SHA256
  
  7734c88d0f1a588938bacf0505aaf50595b26cbc880f005f683990749822a81e
- SHA512
  
  b031a5a5a476aa390cd2ab7f1dd779030da3c49560f984a1e7282e3ee52b4aaba0c4176d0de21eaf090b8fe48bfcd2375780e8842e59dc3c681dca74e7915e08
- SSDEEP
  
  24576:UIm4HEUTx3mDR6aj5NoJMe+30YaidT2sGbIReLzJs2tSPdSk/Ze6VX/JaYHQfaGf:d
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan