xworm | d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336 | Triage

Submit
Reports

Overview

overview

Static

static

3

InspectedS....3.exe

windows7-x64

InspectedS....3.exe

windows10-2004-x64

Resubmissions

22/07/2024, 15:24

240722-stfwaavfjp 10

22/07/2024, 15:11

240722-skn6asvclk 10

Sharing

Copy URL Twitter E-mail

General

Target

InspectedSetupFreeV1.3.exe
Size

100KB
Sample

240722-stfwaavfjp
MD5

32fc084c514fdd90340e84c95dd1b1d0
SHA1

c216536523a116d7797211f82f46b7c736871962
SHA256

d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336
SHA512

a254b4048e11c95fd4676eb976901805c2ca82adb7caaac5ec0d83e089394a2abb04d109c3c95aee9a4500dded124c3e999cf31e57758f5c59b070a432c1eae3
SSDEEP

3072:z0GvrRmy5wl9za2BL905Ft1zcYQ9jmoUZ:IGvr5wlFp9059zcYQY

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

InspectedSetupFreeV1.3.exe

Resource

win7-20240704-en

xworm execution persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

InspectedSetupFreeV1.3.exe

Resource

win10v2004-20240709-en

xworm execution persistence rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

Valdemar-21441.portmap.host:21441

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  InspectedSetupFreeV1.3.exe
- Size
  
  100KB
- MD5
  
  32fc084c514fdd90340e84c95dd1b1d0
- SHA1
  
  c216536523a116d7797211f82f46b7c736871962
- SHA256
  
  d7d0c2631a0b521fb3e0bd438bc6039672c9892d305e0219bf48daa6fa304336
- SHA512
  
  a254b4048e11c95fd4676eb976901805c2ca82adb7caaac5ec0d83e089394a2abb04d109c3c95aee9a4500dded124c3e999cf31e57758f5c59b070a432c1eae3
- SSDEEP
  
  3072:z0GvrRmy5wl9za2BL905Ft1zcYQ9jmoUZ:IGvr5wlFp9059zcYQY
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy