xworm | b5f0a756b0f993c300f0a3aaa32a682c930c8bec974b84cf01373e383c36b2ef | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Rogalik.rar
Size

38KB
Sample

240721-qxyjdssepa
MD5

acdb81dfa526721958a7bf549ed69120
SHA1

f732dfc2ee5298ef0029d8323599e4c45a9dd3e7
SHA256

b5f0a756b0f993c300f0a3aaa32a682c930c8bec974b84cf01373e383c36b2ef
SHA512

2cac1b33d4e6742b379bd839aeb63a0d48ac929152ca72278e3f83f6c53b236bb5a4720ead38d2b7e03d99fc3cda1f3caed7067a1a3eea24eb4832393151b7a4
SSDEEP

768:YooHRJXPXgfSFfSypjNdUoM224xWKr/OWtMiK7eE1nUVBqSYgK00LPfVaaIz:hG9hRcBSQq/OWG7R1+XKXfVJg

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes

Install_directory
%AppData%
install_file
Expensive 3.1.exe

Targets

- Target
  
  RogalikClient.exe
- Size
  
  65KB
- MD5
  
  6e7a02155f6abafcdaf3203ee8407a31
- SHA1
  
  6379c4b9d9398d6faf7fc5e40c45fd86d94e9d3b
- SHA256
  
  4d827a102b732bf26cb1624030434a9427a9fc44cd0d787f4a8488bd3947a820
- SHA512
  
  7ce060561f541fd49a7a9bfe2ae6e0f5f5880447618660577a468e345115f0461e8b5277f009dd15cb9164f3fcbe83656d936b7cd243071495c69570b0329964
- SSDEEP
  
  1536:hs9sLzLCyOgNbco4jvLl2p16pg8rOlaHqd:0vgNbc5vLlWn8rOlaKd
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan