xworm | 9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7 | Triage

Submit
Reports

Overview

overview

Static

static

3

AnyDesk.exe

windows7-x64

AnyDesk.exe

windows10-2004-x64

Sharing

General

Target

AnyDesk.exe
Size

5.6MB
Sample

240630-zpyc4avfpd
MD5

c655d958dac296c3e6b0667e5f00dada
SHA1

678c76f62274a01a98ddd70082589c4a283c5a5a
SHA256

9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
SHA512

98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
SSDEEP

98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

AnyDesk.exe

Resource

win7-20240611-en

xworm execution rat trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

AnyDesk.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

allows-welfare.gl.at.ply.gg:49180

Attributes

Install_directory
%AppData%
install_file
System32pdfc.exe

Targets

- Target
  
  AnyDesk.exe
- Size
  
  5.6MB
- MD5
  
  c655d958dac296c3e6b0667e5f00dada
- SHA1
  
  678c76f62274a01a98ddd70082589c4a283c5a5a
- SHA256
  
  9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
- SHA512
  
  98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
- SSDEEP
  
  98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2
Score

10^/10

xworm execution rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy