xworm | 3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

XClient.exe

windows7-x64

Sharing

General

Target

XClient.exe
Size

217KB
Sample

240616-k8xtcaxgqg
MD5

aafb349d724a1b6ee29e233ce3de9fe2
SHA1

6273688fc2a2f1216c4eab81232d03c65cd4745f
SHA256

3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046
SHA512

533af2f1093638fb181e43c9b12ff3e0fa4f599c824b1ec31181f86306cf7d626820a5cf7e70908cb21d77d91d7e6b7b09c696e056092fe3de0eb273f1d81618
SSDEEP

1536:ZZrLnQSYxHCNJ9SEX+b8oeEVy6D5O3A8wunl+g5zU730/jyY:ZFQxHCNPD+b8+7O3AJC+L3HY

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20240220-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

20.ip.gl.ply.gg:25725

<Xwormmm>:123

Attributes

Install_directory
%Temp%
install_file
chiacago.exe
telegram
https://api.telegram.org/bot7378508941:AAFi7xPXoDjOY7Whre_FGKytWzP0LZ_WBF8/sendMessage?chat_id=6877286426

Targets

- Target
  
  XClient.exe
- Size
  
  217KB
- MD5
  
  aafb349d724a1b6ee29e233ce3de9fe2
- SHA1
  
  6273688fc2a2f1216c4eab81232d03c65cd4745f
- SHA256
  
  3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046
- SHA512
  
  533af2f1093638fb181e43c9b12ff3e0fa4f599c824b1ec31181f86306cf7d626820a5cf7e70908cb21d77d91d7e6b7b09c696e056092fe3de0eb273f1d81618
- SSDEEP
  
  1536:ZZrLnQSYxHCNJ9SEX+b8oeEVy6D5O3A8wunl+g5zU730/jyY:ZFQxHCNPD+b8+7O3AJC+L3HY
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy