xworm | cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4 | Triage

Submit
Reports

Overview

overview

Static

static

3

cf7a4925fd...b4.exe

windows7-x64

cf7a4925fd...b4.exe

windows10-2004-x64

Sharing

General

Target

cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4.exe
Size

5.6MB
Sample

240727-cdxwvszcrn
MD5

578b2c56cabfa2d2a29bc7c0184a8e1d
SHA1

11326b4b732c5cdb0edf9541c70d2dea3411ad6f
SHA256

cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4
SHA512

7ef67f3e50ad6bfb49b4fe62c7b44982d9b1620627c6514c535fb7df5c56aceb16a0392d7c9af82016d42a809ea2475eb1c4595bf87cedb3657a73d0fa6b57d8
SSDEEP

98304:AxdENT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPH:v/HMlS2JxmYcmcg7XGqb6Msq51GPf

Score

10^/10

xworm discovery persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4.exe

Resource

win7-20240705-en

xworm discovery persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4.exe

Resource

win10v2004-20240709-en

xworm discovery persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

she-vocal.gl.at.ply.gg:36704

Attributes

Install_directory
%AppData%
install_file
notepad.exe

Targets

- Target
  
  cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4.exe
- Size
  
  5.6MB
- MD5
  
  578b2c56cabfa2d2a29bc7c0184a8e1d
- SHA1
  
  11326b4b732c5cdb0edf9541c70d2dea3411ad6f
- SHA256
  
  cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4
- SHA512
  
  7ef67f3e50ad6bfb49b4fe62c7b44982d9b1620627c6514c535fb7df5c56aceb16a0392d7c9af82016d42a809ea2475eb1c4595bf87cedb3657a73d0fa6b57d8
- SSDEEP
  
  98304:AxdENT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPH:v/HMlS2JxmYcmcg7XGqb6Msq51GPf
Score

10^/10

xworm discovery persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormdiscoverypersistencerattrojan

behavioral2

xwormdiscoverypersistencerattrojan

© 2018-2024

Terms | Privacy