xworm | 8ad9a17fffa07b434efcb5f370e7f25211361bd1628fb85781e3435eeeaa1e65 | Triage

Submit
Reports

Overview

overview

Static

static

LabyMod4Crt.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

LabyMod4Crt.exe
Size

72KB
Sample

240615-p5dnhs1ena
MD5

8f7d60c2274007ad4220bfa4e313bf35
SHA1

a0a9733f053f92840dc7077cc38519ed4b112751
SHA256

8ad9a17fffa07b434efcb5f370e7f25211361bd1628fb85781e3435eeeaa1e65
SHA512

6c3d06efde57b9ba96a12d5a187490b2fcceb80df886fd16b4cc9fda49f0d6ad6a34a72341cd944c639bbf093daf2204d358f5823787455f1044aabef5b6d170
SSDEEP

1536:w0kvuKMq3o1RchBWJWVE2AyDIQkSSp63bSqQIfcY+6ic0YfO75B4p5t:wUNpOCJWVEoD1wp63bSVIf1O75K5t

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

LabyMod4Crt.exe

Resource

win11-20240611-en

xworm discovery execution persistence rat trojan

windows11-21h2-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  LabyMod4Crt.exe
- Size
  
  72KB
- MD5
  
  8f7d60c2274007ad4220bfa4e313bf35
- SHA1
  
  a0a9733f053f92840dc7077cc38519ed4b112751
- SHA256
  
  8ad9a17fffa07b434efcb5f370e7f25211361bd1628fb85781e3435eeeaa1e65
- SHA512
  
  6c3d06efde57b9ba96a12d5a187490b2fcceb80df886fd16b4cc9fda49f0d6ad6a34a72341cd944c639bbf093daf2204d358f5823787455f1044aabef5b6d170
- SSDEEP
  
  1536:w0kvuKMq3o1RchBWJWVE2AyDIQkSSp63bSqQIfcY+6ic0YfO75B4p5t:wUNpOCJWVEoD1wp63bSVIf1O75K5t
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy