xworm | d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

dwdadwawa.exe

windows7-x64

dwdadwawa.exe

windows10-2004-x64

Sharing

General

Target

dwdadwawa.exe
Size

63KB
Sample

240724-gttlla1frm
MD5

7bb9d6edfd29f0b72b7c628b9fab2a3e
SHA1

f603ce6c91c1314c4af009792cfa725ce953e906
SHA256

d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701
SHA512

38403a5e83716f3a98ff48653535a3599faa221c9dbfe9cf858b776975d4a8e73632e212e128fb6c6f73eb99f31a1f4e83696705df2fac72e2bbb179f701725d
SSDEEP

1536:ZYWnc4BSrIN5GMAFg6iu80+wcGr6bg9+UEPPArfh96GBo4AOnr5z:Z4aZAFg6FC5E6bg9+ZI/oOnr5z

Score

10^/10

xworm evasion execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

dwdadwawa.exe

Resource

win7-20240705-en

xworm evasion execution rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

dwdadwawa.exe

Resource

win10v2004-20240709-en

xworm execution rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  dwdadwawa.exe
- Size
  
  63KB
- MD5
  
  7bb9d6edfd29f0b72b7c628b9fab2a3e
- SHA1
  
  f603ce6c91c1314c4af009792cfa725ce953e906
- SHA256
  
  d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701
- SHA512
  
  38403a5e83716f3a98ff48653535a3599faa221c9dbfe9cf858b776975d4a8e73632e212e128fb6c6f73eb99f31a1f4e83696705df2fac72e2bbb179f701725d
- SSDEEP
  
  1536:ZYWnc4BSrIN5GMAFg6iu80+wcGr6bg9+UEPPArfh96GBo4AOnr5z:Z4aZAFg6FC5E6bg9+ZI/oOnr5z
Score

10^/10

xworm evasion execution rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy