xworm | 3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff | Triage

Sharing

General

Target

ArsenalCheats.exe
Size

274KB
Sample

240819-wj5nfaxhqb
MD5

3b328fc362a6459ed7b74bb3b0b824f3
SHA1

8b5cf3e0c26109a67a3832eb7b63c0954d266b9b
SHA256

3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff
SHA512

3c95ee1e07202c1a3580bc4433eb4c1dcb28b22c710d21a2852b6345b13b358e49df74337aff475b8f9df8bf845b18a48374612b1a278f06dfb4b7382c6025cc
SSDEEP

6144:bB5O/3TQG9zULZNv/KOrZTn5ZPUksUflro+CD0l:bBgn9zmZNv/K4ZT5ZP/sU9rjC4

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.22:11860

Mutex

Wn4BW0u57Ed8grMl

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe

aes.plain

Targets

- Target
  
  ArsenalCheats.exe
- Size
  
  274KB
- MD5
  
  3b328fc362a6459ed7b74bb3b0b824f3
- SHA1
  
  8b5cf3e0c26109a67a3832eb7b63c0954d266b9b
- SHA256
  
  3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff
- SHA512
  
  3c95ee1e07202c1a3580bc4433eb4c1dcb28b22c710d21a2852b6345b13b358e49df74337aff475b8f9df8bf845b18a48374612b1a278f06dfb4b7382c6025cc
- SSDEEP
  
  6144:bB5O/3TQG9zULZNv/KOrZTn5ZPUksUflro+CD0l:bBgn9zmZNv/K4ZT5ZP/sU9rjC4
Score

10^/10

discovery execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

xwormdiscoveryexecutionpersistencerattrojan

behavioral3

xwormdiscoveryexecutionpersistencerattrojan

behavioral4

xwormdiscoveryexecutionpersistencerattrojan