xworm | 15eb341d2ff1866160269470ef52df4889a17d2ca58476a77d0c2787845888b1 | Triage

Resubmissions

01-07-2024 15:37

240701-s2vz6ssajn 10

01-07-2024 15:16

240701-snwdsa1gmm 10

01-07-2024 11:15

240701-nctzcsycjd 10

01-07-2024 11:04

240701-m6mxga1dnn 10

01-07-2024 09:11

240701-k5xzyawfpr 10

01-07-2024 09:08

240701-k3z2hsweqn 3

01-07-2024 09:03

240701-k1emsswdqq 10

01-07-2024 09:02

240701-kzrkzawdnn 10

30-06-2024 16:46

240630-vagdtathjl 10

Sharing

General

Target

Eagles Image Logger.exe
Size

6.5MB
Sample

240701-kzrkzawdnn
MD5

822f47134b780406c02c48e1cdab2e38
SHA1

aa1c4a7b46223f663c8a8751fd3b295ab6443263
SHA256

15eb341d2ff1866160269470ef52df4889a17d2ca58476a77d0c2787845888b1
SHA512

652d6160ce92af854c865351f4b754d528c4493917bb1c4d54d629cf145ab006447cdc493953636acc18a1be078b06307cdac335ae0aa598a21c7d3832e0a818
SSDEEP

196608:vwSbstG7ykI+gHJnHgZcrOSrGymujAoWeVO:vKG7vI+gpnKnQGyXAod

Score

10^/10

xworm execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

C2

bulletingmarrano-45523.portmap.host:45523

Attributes

Install_directory
%AppData%
install_file
RuntimeBroker.exe

Targets

- Target
  
  Eagles Image Logger.exe
- Size
  
  6.5MB
- MD5
  
  822f47134b780406c02c48e1cdab2e38
- SHA1
  
  aa1c4a7b46223f663c8a8751fd3b295ab6443263
- SHA256
  
  15eb341d2ff1866160269470ef52df4889a17d2ca58476a77d0c2787845888b1
- SHA512
  
  652d6160ce92af854c865351f4b754d528c4493917bb1c4d54d629cf145ab006447cdc493953636acc18a1be078b06307cdac335ae0aa598a21c7d3832e0a818
- SSDEEP
  
  196608:vwSbstG7ykI+gHJnHgZcrOSrGymujAoWeVO:vKG7vI+gpnKnQGyXAod
Score

10^/10

xworm execution persistence pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencepyinstallerrattrojan