xworm | e9d5edd84989aa7cd3cb4add5d657f1ec8a19639d67d2ca43732184fe3791661 | Triage

Sharing

General

Target

NOUVELLES PENALITES SUR LES DISA.zip
Size

219KB
Sample

240719-vfhttsvalf
MD5

3b39fac7cc2fec5f08802d4c3ec781ac
SHA1

2253a604b25edd64ec7df07594b9c78bac538002
SHA256

e9d5edd84989aa7cd3cb4add5d657f1ec8a19639d67d2ca43732184fe3791661
SHA512

8d2eb293aa3f2e011d73dc72ff56240f51aff9882ad8496b37a10ff19ca6b10b7740c57f7ddf269a8bc79168e082a318dcce1c3f75bc313c7400f3b3cf903878
SSDEEP

3072:x4DkF4LLe3rf1FM8c1wK6qTaDtubSPMnt1k/AbUeUhyOVC43BetyP3508BG2sBqF:r4ubtQiK6oaDtubVTk/AMg8BhsgUR0v

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat
Password:
159753Jp*

Extracted

Family

xworm

Version

5.0

C2

yoda2024.sytes.net:43831

Mutex

J4rIgEZp1s66p2yZ

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  COURRIER DISA.zip.html
- Size
  
  216KB
- MD5
  
  c376c5c91c3f93ffb913cccbe09949e6
- SHA1
  
  4331d325bd138c96fe8c724e150ccf2d53f296c9
- SHA256
  
  2559caf1cc1e2fc03dcc6d87bf683a2f8f8e6c3b3f4ec65009dd09c5b15cd5a9
- SHA512
  
  bea51d67e36c2048ae918ccd6fe55a06bced1bf63543f333f6ad3d6d904abf55f8844582b776dd53861c8ec506f1265eb968c87a9c5ca2824f2673211812cfab
- SSDEEP
  
  6144:bKJ8Rd9k1aSYUr/VO295wjF50DVp7Rydcy7OGdZ:buc9ky6f9OrIvJ0OGb
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan