xworm | 76ac8355a799b81b7adc8b3a3ee5f6f64f4cbd2ef23a421117346505da71a32c | Triage

Submit
Reports

Overview

overview

Static

static

3

SecuriteIn...21.exe

windows7-x64

SecuriteIn...21.exe

windows10-2004-x64

Sharing

General

Target

SecuriteInfo.com.TrojanX-gen.3121.2403
Size

552KB
Sample

240710-lea8xszbqk
MD5

6d4f51a238fce25887b0e3435fbf7fca
SHA1

6429f96ddf4737322799bee57dd42af539d4df77
SHA256

76ac8355a799b81b7adc8b3a3ee5f6f64f4cbd2ef23a421117346505da71a32c
SHA512

3d3d5d1d6057e4e31c0aca4413cb72d783cef910ad1a5eb1f3e52d25afef04e13a97883acecb058f962dc763f9589cd20df87d3efff50c242aeac4d4c0ea891e
SSDEEP

12288:/nMfWWNP0xC0eQVtJzJ0/jj4o7t8Xq3L8VRtoOsF:/MeWNPECratdJ84XXuUb90

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SecuriteInfo.com.TrojanX-gen.3121.exe

Resource

win7-20240704-en

xworm execution persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.TrojanX-gen.3121.exe

Resource

win10v2004-20240709-en

xworm execution persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

rwanco.duckdns.org:1515

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  SecuriteInfo.com.TrojanX-gen.3121.2403
- Size
  
  552KB
- MD5
  
  6d4f51a238fce25887b0e3435fbf7fca
- SHA1
  
  6429f96ddf4737322799bee57dd42af539d4df77
- SHA256
  
  76ac8355a799b81b7adc8b3a3ee5f6f64f4cbd2ef23a421117346505da71a32c
- SHA512
  
  3d3d5d1d6057e4e31c0aca4413cb72d783cef910ad1a5eb1f3e52d25afef04e13a97883acecb058f962dc763f9589cd20df87d3efff50c242aeac4d4c0ea891e
- SSDEEP
  
  12288:/nMfWWNP0xC0eQVtJzJ0/jj4o7t8Xq3L8VRtoOsF:/MeWNPECratdJ84XXuUb90
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy