xworm | d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

d083bef3ab...00.exe

windows7-x64

d083bef3ab...00.exe

windows10-2004-x64

Sharing

General

Target

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000
Size

761KB
Sample

240712-2b89jsshnl
MD5

1b767b2a4f8596b12e1e2306cb3b9939
SHA1

007190828b70f2a72311e603bbb94bcb2e41b1c0
SHA256

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000
SHA512

cf3bbbfe500fc752eb0d777f44d90d1d245bb5394ada49a26a0ac31d62d331324a2c49f1e14072ec446d5a1acb44e9426868af2898cdfe65effe9092bf1fa6d7
SSDEEP

12288:MSJBQ/xsjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrN:MABQ/mjuTt4TbQRjDH2eJQTNqcWOVZK1

Score

10^/10

xworm persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe

Resource

win7-20240705-en

xworm persistence rat spyware stealer trojan

windows7-x64

20 signatures

60 seconds

Behavioral task

behavioral2

Sample

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe

Resource

win10v2004-20240709-en

xworm persistence rat spyware stealer trojan

windows10-2004-x64

23 signatures

60 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:13576

edition-eat.gl.at.ply.gg:13576

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000
- Size
  
  761KB
- MD5
  
  1b767b2a4f8596b12e1e2306cb3b9939
- SHA1
  
  007190828b70f2a72311e603bbb94bcb2e41b1c0
- SHA256
  
  d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000
- SHA512
  
  cf3bbbfe500fc752eb0d777f44d90d1d245bb5394ada49a26a0ac31d62d331324a2c49f1e14072ec446d5a1acb44e9426868af2898cdfe65effe9092bf1fa6d7
- SSDEEP
  
  12288:MSJBQ/xsjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrN:MABQ/mjuTt4TbQRjDH2eJQTNqcWOVZK1
Score

10^/10

xworm persistence rat spyware stealer trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistenceratspywarestealertrojan

behavioral2

xwormpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.