xworm

General

Target

https://394c6816-406f-4ddf-a1b9-243887aca407-00-1uiwnd3zwjoch.worf.replit.dev/ZYLO-Executor.html
Sample

240802-cvbpyszgrj

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

social-ontario.gl.at.ply.gg:19064

Attributes

Install_directory
%Temp%
install_file
ZYLO.exe

Targets

- Target
  
  https://394c6816-406f-4ddf-a1b9-243887aca407-00-1uiwnd3zwjoch.worf.replit.dev/ZYLO-Executor.html
Score

10^/10

xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1