xworm | 3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

XWorm V5.2.exe

windows7-x64

XWorm V5.2.exe

windows10-2004-x64

Sharing

General

Target

XWorm V5.2.exe
Size

215KB
Sample

240715-vvrehs1cqq
MD5

13e350200a0694496a28d3726f8fe2aa
SHA1

5a6353127160e4e183f67c2469ce704de02b6d4c
SHA256

3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5
SHA512

02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb
SSDEEP

3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XWorm V5.2.exe

Resource

win7-20240705-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

XWorm V5.2.exe

Resource

win10v2004-20240709-en

xworm execution persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

edition-ages.gl.at.ply.gg:14076

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  XWorm V5.2.exe
- Size
  
  215KB
- MD5
  
  13e350200a0694496a28d3726f8fe2aa
- SHA1
  
  5a6353127160e4e183f67c2469ce704de02b6d4c
- SHA256
  
  3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5
- SHA512
  
  02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb
- SSDEEP
  
  3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy