xworm | dc76fed88d6938e78f4c1f26d986ab04849370d4fd52a922c4035257067ee1c9 | Triage

Submit
Reports

Overview

overview

Static

static

svchost.exe

windows10-2004-x64

Sharing

General

Target

svchost.exe
Size

41KB
Sample

240616-z9xbjasfnr
MD5

6ea0adc5e5cb551c5087ba976e17656c
SHA1

dbe7e3b008e579d27f23453a3ee8efcae8a234ac
SHA256

dc76fed88d6938e78f4c1f26d986ab04849370d4fd52a922c4035257067ee1c9
SHA512

de9bd0fab46c5ac48c9a03202d2d2dbb6588b2520d43493b4233ad3a9bc9cbe14f24fd9bfecc632ba55dd6210bd9ea8c1510cd1dbd0177c4713f9a69fb81052a
SSDEEP

768:pod37NnVbmTXwu96SR9r0/dd48Bf6F5PD9O4t668OMhE3EO2h:pHXwuYqyI8BiFl9l868OMS7Y

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

svchost.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

60 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

19.ip.gl.ply.gg:26909

Mutex

ys1Cyr0Q20V3fLLD

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7470818768:AAEb9517MwYc6ADWJM3v8A0fACinKtlgU7w/sendMessage?chat_id=6521445724

aes.plain

Targets

- Target
  
  svchost.exe
- Size
  
  41KB
- MD5
  
  6ea0adc5e5cb551c5087ba976e17656c
- SHA1
  
  dbe7e3b008e579d27f23453a3ee8efcae8a234ac
- SHA256
  
  dc76fed88d6938e78f4c1f26d986ab04849370d4fd52a922c4035257067ee1c9
- SHA512
  
  de9bd0fab46c5ac48c9a03202d2d2dbb6588b2520d43493b4233ad3a9bc9cbe14f24fd9bfecc632ba55dd6210bd9ea8c1510cd1dbd0177c4713f9a69fb81052a
- SSDEEP
  
  768:pod37NnVbmTXwu96SR9r0/dd48Bf6F5PD9O4t668OMhE3EO2h:pHXwuYqyI8BiFl9l868OMS7Y
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy