xworm

General

Target

Image.Logger.BC.zip
Size

620KB
Sample

240817-p3xzdawera
MD5

f476e14baad68d49d812df74d81dca51
SHA1

a298b08239893a5e74073a5364cd6d12a151499f
SHA256

4c932e97ce97604516341abb630e5b01fe66d58690bcbce0045497c05b72b788
SHA512

d9675189a5610a7f99484b779e2d1628ccbf1e154bd92afee2a3d40877e33eaad2932511b0e0ceafa679b669a1fb4b829b2a2abd5d058120df35ac7a5b6c55ee
SSDEEP

12288:VK3huXezDgDg5juWKZBzZ7+ERzOsj4Cdg3uMl1sqZZek9tc9:M8aMglu/1MEj4Cdg3uM0q/Nte

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

roadman-43811.portmap.host:43811

Mutex

XNkTwYaamsqu5k2t

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  Image Logger BC/NewEagles.dll
- Size
  
  446KB
- MD5
  
  c05c4f98985197336a0efef71921e335
- SHA1
  
  968462acaa4019e878754e5bccbcb67517fb0798
- SHA256
  
  6009711cf42381156d8a11d5491edf464b5cd070dc8536dae0d40b5ea988e305
- SHA512
  
  40a2b5ee44ca8b22ada713de9df8d372b36b7495e05e610de1b5d55f469cec984fc00c54df5d2c822e8bb2cbb5c97ee709f69b0c88c02b9ca1eabea2c48fdabe
- SSDEEP
  
  12288:Nm3uUrxrUQMNdwnaqIr+FBm3uUrxrUQMNdwnaqIr+F:Na9o8aqjRa9o8aqj
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  Image Logger BC/NewEagles.exe
- Size
  
  195KB
- MD5
  
  ee8d8547ffd127abd7f0a744cf031507
- SHA1
  
  0b46d8fc9d4ad3f9cffb13ed2a33a6e3fe55dd00
- SHA256
  
  5261fa47390ddff255fba44397f9a0812db3ccf5790f1aa1e3c5c454e14a9286
- SHA512
  
  2d427db6a115dec99aefa7f6fb772d01351b2bc3633bf71771ec4c2c7c3b1f67cfbb5102881e6dc774541d274819ca478dbb33ea9b07289251261bd811861e2d
- SSDEEP
  
  3072:j35FiaMOniqPe5up6UDItRBb/wXdN5fvWRsqF+4+X+pkfoZE0sCP2RNPwqeLKtz/:jlfFeMcUctT2dN5fvUfLC8ZloP2U
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2