xworm | d73783e7c4f4a71b3f2041ca730ea2e575d5648e399a9bf53c9ec81b192aa5de | Triage

Submit
Reports

Overview

overview

Static

static

1

NexusLoader.bat

windows10-2004-x64

Sharing

General

Target

NexusLoader.bat
Size

370KB
Sample

240721-x8vefa1cpe
MD5

e28bd6a166fb90585df8869440e0bb15
SHA1

064709acaa5bb41c46a969fd6f41ea9a01c07be2
SHA256

d73783e7c4f4a71b3f2041ca730ea2e575d5648e399a9bf53c9ec81b192aa5de
SHA512

fa44c33d60bed56eee9c36c2a52aadb5dbeae60a7491029de8b7989bda6c65a1d8b798041f0f31ede047e9f3e3e5f3a7b325bfebe0d142637d28f98434f6fe31
SSDEEP

6144:3CG9xn/wsS0jtg6MXXOLl+bVg4+N8BZXCpQrYfbREmFAqjKFbR7:1PptSuLgbmGBEpMWbf+Fbx

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

NexusLoader.bat

Resource

win10v2004-20240709-en

xworm execution rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

room-movements.gl.at.ply.gg:19927

Mutex

EDIF1PgVg4HQmCc1

Attributes

Install_directory
%AppData%
install_file
WindowsReg.exe

aes.plain

Targets

- Target
  
  NexusLoader.bat
- Size
  
  370KB
- MD5
  
  e28bd6a166fb90585df8869440e0bb15
- SHA1
  
  064709acaa5bb41c46a969fd6f41ea9a01c07be2
- SHA256
  
  d73783e7c4f4a71b3f2041ca730ea2e575d5648e399a9bf53c9ec81b192aa5de
- SHA512
  
  fa44c33d60bed56eee9c36c2a52aadb5dbeae60a7491029de8b7989bda6c65a1d8b798041f0f31ede047e9f3e3e5f3a7b325bfebe0d142637d28f98434f6fe31
- SSDEEP
  
  6144:3CG9xn/wsS0jtg6MXXOLl+bVg4+N8BZXCpQrYfbREmFAqjKFbR7:1PptSuLgbmGBEpMWbf+Fbx
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy