xworm | 1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

IpGeolocation.bat

windows7-x64

8

IpGeolocation.bat

windows10-2004-x64

Sharing

General

Target

IpGeolocation.bat
Size

610KB
Sample

240715-efd8mswhlr
MD5

624933026776b6141b7ca87c9eccb8d8
SHA1

d7d6388d6266360e14d7c6b56141a92053514387
SHA256

1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db
SHA512

2d4617a578a45ee95e958fca89fbcd37882d9ca0d4b9a41e354d2901e3e19b75e9a96b7da5c9e5fdef3c9358bae06529bc3f9e2a74ae83fc3c62ae71a52f8958
SSDEEP

12288:M6nt5tlBhJSv4euiIl0Mhw0NbmInJpiudZtifyI72IaeYeeI:MQLlwdIyMhPnJpiWy5YdI

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

IpGeolocation.bat

Resource

win7-20240705-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

IpGeolocation.bat

Resource

win10v2004-20240709-en

xworm execution rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

cd-breast.gl.at.ply.gg:15244

updated-password.gl.at.ply.gg:15244

Attributes

Install_directory
%ProgramData%
install_file
SystemProcess.exe

Targets

- Target
  
  IpGeolocation.bat
- Size
  
  610KB
- MD5
  
  624933026776b6141b7ca87c9eccb8d8
- SHA1
  
  d7d6388d6266360e14d7c6b56141a92053514387
- SHA256
  
  1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db
- SHA512
  
  2d4617a578a45ee95e958fca89fbcd37882d9ca0d4b9a41e354d2901e3e19b75e9a96b7da5c9e5fdef3c9358bae06529bc3f9e2a74ae83fc3c62ae71a52f8958
- SSDEEP
  
  12288:M6nt5tlBhJSv4euiIl0Mhw0NbmInJpiudZtifyI72IaeYeeI:MQLlwdIyMhPnJpiWy5YdI
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy