xworm | 0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

Iinpdftw.exe

windows11-21h2-x64

Sharing

General

Target

Iinpdftw.exe
Size

4.7MB
Sample

240615-fwm16atcrr
MD5

a9cb0e951c7ede7c23b5ba350b4920fd
SHA1

a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
SHA256

0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
SHA512

300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4
SSDEEP

24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Iinpdftw.exe

Resource

win11-20240508-en

xworm execution rat trojan

windows11-21h2-x64

16 signatures

60 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

- Target
  
  Iinpdftw.exe
- Size
  
  4.7MB
- MD5
  
  a9cb0e951c7ede7c23b5ba350b4920fd
- SHA1
  
  a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
- SHA256
  
  0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
- SHA512
  
  300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4
- SSDEEP
  
  24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy