xworm

Sharing

Copy URL

Twitter E-mail

General

Target

topware-beta.rar
Size

7.6MB
Sample

240707-dv8kcsvcqh
MD5

cbab2799ab5ed6e4cfd0e90732f8c753
SHA1

864db886d8fc8ef3f506681d9a8715c9b7d5ec4d
SHA256

e55752ce0e4bdc9426430bf580efd1559864d24c3c0f118d58ff513e6d618fd1
SHA512

9a396e4e1a6fb54f1b9eec652da7f906768360953f312bf4d705bd39b406157aa87f8ae8785696eaa538272f769ecbf97f5cd80f87b0ff95319e7ca1f40e5214
SSDEEP

196608:kTFmL8iYNZoL66tULFG9BSZmvnHv3t04+VdqhGIEfpx:kxMWZ++LF/ZmvHv3S4+rqhCpx

Score

10^/10

Malware Config

Extracted

Family

xworm

79.110.49.233:4444

Attributes

Install_directory
%AppData%
install_file
VSREDIST.exe

Targets

- Target
  
  bin/antvms.dll
- Size
  
  319KB
- MD5
  
  0867c6c53da333c4a0572e64b2d7466f
- SHA1
  
  41aced5a92ab64c178177adf12ede86c4a42d1fd
- SHA256
  
  8372b3b2bd6d1bb1c8beb2780989554dd5599625981d7f297c38e5a870f703cc
- SHA512
  
  0c2dc57f1c93b51233ccd33fca871a6bac8dd002deb8b7d1b86fca5d4433255dd51928947069f99936e4099b779bd47ae3dcb20de4cccef282ee0fa2f9975ce3
- SSDEEP
  
  6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG
Score

1^/10
behavioral1 behavioral2
- Target
  
  bin/debug/AnyDesk.exe
- Size
  
  5.1MB
- MD5
  
  aee6801792d67607f228be8cec8291f9
- SHA1
  
  bf6ba727ff14ca2fddf619f292d56db9d9088066
- SHA256
  
  1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
- SHA512
  
  09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
- SSDEEP
  
  98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR
Score

5^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  bin/debug/debug.main.exe
- Size
  
  64KB
- MD5
  
  36969de6b4bf8de24684de1bb71f624f
- SHA1
  
  0327d7d9d7f739e4b09bab680249ed997a281c9b
- SHA256
  
  57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
- SHA512
  
  cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
- SSDEEP
  
  1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  bin/release/release.exe
- Size
  
  64KB
- MD5
  
  36969de6b4bf8de24684de1bb71f624f
- SHA1
  
  0327d7d9d7f739e4b09bab680249ed997a281c9b
- SHA256
  
  57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
- SHA512
  
  cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
- SSDEEP
  
  1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  bin/trafficencryptor.dll
- Size
  
  346KB
- MD5
  
  5a188b7f782eb697fb5e12c630bcbea2
- SHA1
  
  ed665dddb109b219c91d494d1a3433dedab6381e
- SHA256
  
  8582cd4cfffb6fd4c99ee69ad316c737c9e72d96e6b9c4a470f43743d0f431e9
- SHA512
  
  3fd5dd66fa12bf4870ed78bd20d6a8f1e9effbee8022455206bae24b635d380cccda9f47d472ebd0e8062981a0a0a4428d277a392c7ea1c351b28af9eccbfd4a
- SSDEEP
  
  6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZO:kdR7l
Score

1^/10
behavioral10 behavioral9
- Target
  
  bin/xfcmain.dll
- Size
  
  326KB
- MD5
  
  ba72f62f7cdb4935d667925625df9559
- SHA1
  
  908b431bea3fc6b65941276a7662c69266e15490
- SHA256
  
  b33b11b3033529ff05539ff55c8c3cb476fedb28c3e62df8235ba6ff3b3b20c9
- SHA512
  
  abaad730a6e099bf6d584a15e397efc4e6e357da31975b9cee8e4a60e4a0301723714fb473c31fbaa1a1b374e3cc648b0b75fdf75d8368722eaa2aab24a073be
- SSDEEP
  
  6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZk:kd7dz1
Score

1^/10
behavioral11 behavioral12
- Target
  
  bin/xfcstart.dll
- Size
  
  339KB
- MD5
  
  88768a731826f71373c397cf874046de
- SHA1
  
  c90a75c75986e55a3c358f2056df810560c84612
- SHA256
  
  f434f0d8a67c84bbc9baf18bcbfdff3ce338da3442d135067a22b87c238d6675
- SHA512
  
  930f754dd59f31c5ef9710104e40f6024c5a49c0d76c16902562b90c887024d3053695a10ba7c8303be441d71d0150d02dc76b6059afb614f83339dad90508b1
- SSDEEP
  
  6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG
Score

1^/10
behavioral13 behavioral14
- Target
  
  debugger.exe
- Size
  
  64KB
- MD5
  
  36969de6b4bf8de24684de1bb71f624f
- SHA1
  
  0327d7d9d7f739e4b09bab680249ed997a281c9b
- SHA256
  
  57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
- SHA512
  
  cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
- SSDEEP
  
  1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  execution.dll
- Size
  
  1.3MB
- MD5
  
  09cba584aa0aae9fc600745567393ef6
- SHA1
  
  bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
- SHA256
  
  0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
- SHA512
  
  5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
- SSDEEP
  
  24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI
Score

1^/10
behavioral17 behavioral18
- Target
  
  injectprint.dll
- Size
  
  3.9MB
- MD5
  
  3b4647bcb9feb591c2c05d1a606ed988
- SHA1
  
  b42c59f96fb069fd49009dfd94550a7764e6c97c
- SHA256
  
  35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
- SHA512
  
  00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
- SSDEEP
  
  49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
Score

3^/10
behavioral19
- Target
  
  lz4.dll
- Size
  
  117KB
- MD5
  
  f7e2f224f8dbe22012c7ff20590b8770
- SHA1
  
  99775e038e306a2b5f73f6e7d8d42a5799ace824
- SHA256
  
  c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70
- SHA512
  
  96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89
- SSDEEP
  
  1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk
Score

1^/10
behavioral20 behavioral21
- Target
  
  offsets.dll
- Size
  
  1021B
- MD5
  
  d0b33be30e3ef0fe9e272061a12ee79a
- SHA1
  
  d4e62e1bf492a991537659c469ebabcb75b4d49f
- SHA256
  
  8d4cdee0284fbede0c15b61d79d3ff85c1a00a30cc99a469def972e0a044c36d
- SHA512
  
  c6f25b7d2b32bcfafb25e7e21fb0cc346bf844cbae2e27b78bede4939eb39647e6eed97da3699bd2d5f07e7cc0c1005c6ca6840136a729974c10ffdd6438f247
Score

1^/10
behavioral22 behavioral23
- Target
  
  topware.inject.dll
- Size
  
  17KB
- MD5
  
  690738776ba844a6d7d98d8c2ca97737
- SHA1
  
  c852b8a53e895248b1a182bd4f737bc2a3f1ea3b
- SHA256
  
  e5b4c0d091db6e95151fa55843b57639e78e2af97d55177fe9e628955f1fc900
- SHA512
  
  ca05b797535703c8f369d3b7fb5d82813a20d4ea8cd03e7fa26ce2c7059a30fdfc5ffb7317eab9330e161f0fc5196730424720c8c816c3ab90b3703e43ee98d4
- SSDEEP
  
  192:YWUl1a80XXXPll3iYskmr3COA4TJr6cdcvGxTq6bdxTOZU+OVkWLPisOI7pTh:YWUl1aJHPll3iLdJrrdcvGpQ9kn
Score

3^/10

execution
behavioral24 behavioral25
- Target
  
  topware.py
- Size
  
  1KB
- MD5
  
  a8c73f5f04db064ac16b41efaa8b591c
- SHA1
  
  4da291c845b26e199131c746829e9f04eb5198d3
- SHA256
  
  264cae1900046b4f1fb0294f852e67e94d226b84ef75b6388cfd5c762197f843
- SHA512
  
  d2ec2c603fd9cf58becd6698faaf182434b4c23d22bfc1cc456a841e92f32e15dd038442e54d854edd2c2c1e2ba8465d200d971b7a381cd319c5ac797a651b7a
Score

3^/10
behavioral26 behavioral27
- Target
  
  xxhash.dll
- Size
  
  45KB
- MD5
  
  161bd3d60228dd16c54a927250af3e49
- SHA1
  
  463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6
- SHA256
  
  ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7
- SHA512
  
  3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b
- SSDEEP
  
  768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS
Score

1^/10
behavioral28 behavioral29
- Target
  
  zinl1.dll
- Size
  
  1.2MB
- MD5
  
  a396ee8375252d04da31676fe1b3ff75
- SHA1
  
  57aee1e5b69a85d0e0b7d5a103ddb683f0204cce
- SHA256
  
  7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25
- SHA512
  
  ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db
- SSDEEP
  
  24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE
Score

1^/10
behavioral30 behavioral31
- Target
  
  zlib1.dll
- Size
  
  87KB
- MD5
  
  f6fc96cfccdd9958a157546faa4c13a9
- SHA1
  
  ae8e4171a0583a761ae4428e5757daeedaf2a157
- SHA256
  
  231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da
- SHA512
  
  fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc
- SSDEEP
  
  1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32