xworm | 1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

Prism Rele....5.exe

windows10-2004-x64

Prism Rele....5.exe

windows11-21h2-x64

Resubmissions

15/06/2024, 13:17

240615-qjcprswbjp 10

15/06/2024, 13:11

240615-qe95gavhrr 10

15/06/2024, 13:08

240615-qdjwws1hjh 10

Sharing

General

Target

Prism Release.rar
Size

5.0MB
Sample

240615-qjcprswbjp
MD5

2457eb120e8fbef34c97cef775362cc9
SHA1

547d2a58c06febe45ba1f0deabdf68b759f40029
SHA256

1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3
SHA512

e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb
SSDEEP

98304:ehIWTfpVs6CcFSLDyaWHWbv93eBBTWWXBmxvWryhangOJnTo5Q9i:ehIWTh26Cc4LGQ7mrBGWSaLZTkQ9i

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Prism Release/Prism Release V1.5.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Prism Release/Prism Release V1.5.exe

Resource

win11-20240419-en

xworm execution persistence rat trojan

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Targets

- Target
  
  Prism Release/Prism Release V1.5.exe
- Size
  
  5.1MB
- MD5
  
  ac80f970a7ae1c07663abdd11d752d34
- SHA1
  
  5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
- SHA256
  
  b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
- SHA512
  
  7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
- SSDEEP
  
  98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy