Overview

overview

10

Static

static

3

Xworm V5.6.exe

windows7-x64

10

Xworm V5.6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Xworm V5.6.exe

  • Size

    15.8MB

  • Sample

    240615-ztagtstfrb

  • MD5

    f192b4e9cf07850041e19ea07cd984e3

  • SHA1

    061a917e9691648e00a7f91ff82ae1c0e8da248b

  • SHA256

    515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

  • SHA512

    19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a

  • SSDEEP

    393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

Score
10/10
njratvjw0rmxwormhackedevasionexecutionpersistencerattrojanworm

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClienamrt.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.1.8:7788

Mutex

66d1b8410b347e24d21ce9ad910a4de7

Attributes
  • reg_key

    66d1b8410b347e24d21ce9ad910a4de7

  • splitter

    |'|'|

Targets

    • Target

      Xworm V5.6.exe

    • Size

      15.8MB

    • MD5

      f192b4e9cf07850041e19ea07cd984e3

    • SHA1

      061a917e9691648e00a7f91ff82ae1c0e8da248b

    • SHA256

      515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

    • SHA512

      19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a

    • SSDEEP

      393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

    Score
    10/10
    njratvjw0rmxwormhackedevasionexecutionpersistencerattrojanworm

    • Detect Xworm Payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks