xworm | ca1c729da918f657cd953d41416a08fa85d3577efd583fb602ef6b7cf7b73412 | Triage

Submit
Reports

Overview

overview

Static

static

3

Loader.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Loader.exe
Size

14.9MB
Sample

240620-t5ye5sxcpa
MD5

99ec7ca91e0775ee4e00eb2a87864042
SHA1

de83f3e72278f93f0beccf468f7025fe675ddef1
SHA256

ca1c729da918f657cd953d41416a08fa85d3577efd583fb602ef6b7cf7b73412
SHA512

71bb4b60ded4d5b97067263a3a792d7dc09116caf264a14694607cade5d6d71951837c9d3d9a6f5e75e27059f3ad63106a4542396e2612342e78a0b5a2b98597
SSDEEP

393216:gvwqyP4/oFkLMXJOIDpGgkZ/MHIbmrB0aN77wBZFj:ujjgisB0gkZ0HfB1NwBDj

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Loader.exe

Resource

win10v2004-20240611-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

engineering-thoroughly.gl.at.ply.gg:30205

london-components.gl.at.ply.gg:30205

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  Loader.exe
- Size
  
  14.9MB
- MD5
  
  99ec7ca91e0775ee4e00eb2a87864042
- SHA1
  
  de83f3e72278f93f0beccf468f7025fe675ddef1
- SHA256
  
  ca1c729da918f657cd953d41416a08fa85d3577efd583fb602ef6b7cf7b73412
- SHA512
  
  71bb4b60ded4d5b97067263a3a792d7dc09116caf264a14694607cade5d6d71951837c9d3d9a6f5e75e27059f3ad63106a4542396e2612342e78a0b5a2b98597
- SSDEEP
  
  393216:gvwqyP4/oFkLMXJOIDpGgkZ/MHIbmrB0aN77wBZFj:ujjgisB0gkZ0HfB1NwBDj
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy