xworm | 10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d | Triage

Resubmissions

23-06-2024 14:41

240623-r2tlnsyblp 10

23-06-2024 14:41

240623-r2gbcavbqa 10

23-06-2024 13:03

240623-qaqj9s1enc 10

23-06-2024 12:34

240623-pr56lsthjk 10

Sharing

General

Target

Bloxstrap 2.5.4.exe
Size

66KB
Sample

240623-qaqj9s1enc
MD5

0680a239ba405c1935c687ebdf6d4540
SHA1

bf2cc8de357fe1af9888e120e1c139ca2bc77c15
SHA256

10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d
SHA512

09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73
SSDEEP

1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

medical-m.gl.at.ply.gg:28857

Attributes

Install_directory
%ProgramData%
install_file
Runtime Broker.exe

Targets

- Target
  
  Bloxstrap 2.5.4.exe
- Size
  
  66KB
- MD5
  
  0680a239ba405c1935c687ebdf6d4540
- SHA1
  
  bf2cc8de357fe1af9888e120e1c139ca2bc77c15
- SHA256
  
  10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d
- SHA512
  
  09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73
- SSDEEP
  
  1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan