xworm | ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42 | Triage

Submit
Reports

Overview

overview

Static

static

1

systeminformer.bat

windows10-1703-x64

systeminformer.bat

windows10-2004-x64

systeminformer.bat

windows11-21h2-x64

Sharing

General

Target

systeminformer.bat
Size

408KB
Sample

240627-jcsdbayfje
MD5

34d172bddcf176f4a3c85f2b8083850c
SHA1

6e4fd033d2ed62b464db43b6af1f5bb0e9283a46
SHA256

ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42
SHA512

c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516
SSDEEP

12288:z4MdFDVqDtPSt2dbWRZpti8C6lhzFAxsbmC:z4UoSCAjti8C6l9eHC

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

systeminformer.bat

Resource

win10-20240404-en

xworm execution persistence rat trojan

windows10-1703-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

systeminformer.bat

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

19 signatures

150 seconds

Behavioral task

behavioral3

Sample

systeminformer.bat

Resource

win11-20240419-en

xworm execution persistence rat trojan

windows11-21h2-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Targets

- Target
  
  systeminformer.bat
- Size
  
  408KB
- MD5
  
  34d172bddcf176f4a3c85f2b8083850c
- SHA1
  
  6e4fd033d2ed62b464db43b6af1f5bb0e9283a46
- SHA256
  
  ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42
- SHA512
  
  c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516
- SSDEEP
  
  12288:z4MdFDVqDtPSt2dbWRZpti8C6lhzFAxsbmC:z4UoSCAjti8C6l9eHC
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

behavioral3

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy