xworm | 4003f6e4300d01d309b0ec4fc47a7e6d89a403ca89f549e0c16003c7805f355e | Triage

Submit
Reports

Overview

overview

Static

static

3

PO1807015 ...r..exe

windows7-x64

PO1807015 ...r..exe

windows10-2004-x64

Sharing

General

Target

15072024_1349_14072024_PO1807015 - PR-SCM-WARL-07 - RFQ-Order.rar
Size

442KB
Sample

240715-q433fstdjl
MD5

b158c5b628ea94d3c6152f1ed30bd0b9
SHA1

ab835065048b8fba535372ac07a538b02a6c8f3a
SHA256

4003f6e4300d01d309b0ec4fc47a7e6d89a403ca89f549e0c16003c7805f355e
SHA512

6eb5794cf52c389a9721f6bd3825191b337e6a71c6b9998224a69cd84d2364c9f4f4dadc4974cd1febb1663464e6237a691491652b5cf8bc9f50ca1fdd4ddb23
SSDEEP

6144:T68J6A9hP7WygUm5KCq+ygZuinEQoCCnsOWQplhixam/f9F6sARAXCTIoBgXe:TiA9hTmgCqhcTfCnsORreCYABr

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PO1807015 - PR-SCM-WARL-07 - RFQ-Order..exe

Resource

win7-20240708-en

xworm execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO1807015 - PR-SCM-WARL-07 - RFQ-Order..exe

Resource

win10v2004-20240709-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

office4gold.duckdns.org:2468

185.174.102.60:2468

Mutex

SytVewvLq6b9BrPa

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  PO1807015 - PR-SCM-WARL-07 - RFQ-Order..exe
- Size
  
  518KB
- MD5
  
  2c79c3ae5e1cccd3bf147a596c211c8e
- SHA1
  
  97d5fd0bb77fd3eea9fe044dd0156d8be92e3759
- SHA256
  
  4834d023f44256c3b2d3cdc2240e1994a75d0774ee92491eb194f45bd9f7045c
- SHA512
  
  b95a1193d3499c2cc7c412eae144286289b1fbccb35b5821f3d313b58a61c3d17846997489cc3c129bf023717313f7c8682832d00e6be5d355cae6c0cf66a581
- SSDEEP
  
  12288:QrDDWx2PQfdqCT01PrVxzJ2c0Y7/YbpzWLVOZBI8k3:QPawMdqCsPxxpHMpyEBzk3
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy