xworm | 0e9ed9a55cd440844668e5937cd2afb5a48dd5a17a3530fc4f9868038e305723 | Triage

Submit
Reports

Overview

overview

Static

static

oxyinstaller.exe

windows7-x64

oxyinstaller.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

oxyinstaller.exe
Size

67KB
Sample

240620-ph79ls1ekr
MD5

2b274de1ba95b66b41fd57ba95e10653
SHA1

ac08368b132f60bf0bd6adfb78153be62883c878
SHA256

0e9ed9a55cd440844668e5937cd2afb5a48dd5a17a3530fc4f9868038e305723
SHA512

fa37fec96549faaf75c775902917aa250f484db72c11d3324cabea37deb609d26c992f7dc26ce5714388784cf688a103c8d33d9e82bb9f0acedc357aa86d5844
SSDEEP

1536:AO6daHktjZytoFTeuDXvq0Zp2yby0BT7BIP5b6xihOuuvZY:da0o1euDXkyby11hOuGZY

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

oxyinstaller.exe

Resource

win7-20240221-en

xworm execution rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

oxyinstaller.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32901

engineering-thoroughly.gl.at.ply.gg:32901

Attributes

Install_directory
%AppData%
install_file
OxyInstaller.exe

Targets

- Target
  
  oxyinstaller.exe
- Size
  
  67KB
- MD5
  
  2b274de1ba95b66b41fd57ba95e10653
- SHA1
  
  ac08368b132f60bf0bd6adfb78153be62883c878
- SHA256
  
  0e9ed9a55cd440844668e5937cd2afb5a48dd5a17a3530fc4f9868038e305723
- SHA512
  
  fa37fec96549faaf75c775902917aa250f484db72c11d3324cabea37deb609d26c992f7dc26ce5714388784cf688a103c8d33d9e82bb9f0acedc357aa86d5844
- SSDEEP
  
  1536:AO6daHktjZytoFTeuDXvq0Zp2yby0BT7BIP5b6xihOuuvZY:da0o1euDXkyby11hOuGZY
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy