xworm

Sharing

Copy URL

Twitter E-mail

General

Target

XClient.rar
Size

47KB
Sample

240801-zqktdszhng
MD5

3e927f3cf005e86563edd2f8b9a010a7
SHA1

d3298614438c234c90cf4d979ea166211dd32e6f
SHA256

baa8ace81d5e51f20fea99bf6b8de26c594a2011b670883304e085e5a9847eb2
SHA512

a12f9f63aeefd7b46a28bba0d9266ae57ea8e1a1a1dd24ed00125d3d31d6c8e93fc448c183d5bc7c49b617e577c611bfa38ee7527f2584bfe5d4273b3e056558
SSDEEP

768:KJqOIafzF7rapluoLB4bkKxOxUR+ezEuauHG+YUqYm074Idsvv7L/jBhl+6NDNz8:XLaR7WbuoLQk1evrmIzm0EICvvRBbz8

Score

10^/10

Malware Config

Extracted

Family

xworm

full-self.gl.at.ply.gg:45212

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  XClient.exe
- Size
  
  80KB
- MD5
  
  bfa950b37b6a4f8de71af861e677a8b4
- SHA1
  
  2ee40bfbf2964d92c82256e5924169295dfdd225
- SHA256
  
  07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade
- SHA512
  
  235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a
- SSDEEP
  
  1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral1 behavioral10 behavioral11 behavioral12 behavioral13 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13