xworm | 1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba | Triage

Submit
Reports

Overview

overview

Static

static

1f002be3e2...ba.exe

windows7-x64

1f002be3e2...ba.exe

windows10-2004-x64

Sharing

General

Target

1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe
Size

170KB
Sample

240823-bkpcmaxerh
MD5

a805c895c507a30f12e39e04f55a7bf1
SHA1

1871cc40e2c48397f54d96d6be8fe07c0b615fa1
SHA256

1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba
SHA512

5b1b85a835c0d2f5253e2d421541344b1798365a8f25131f73b12df578958b257ab89d602ebff8974750dd76cf2fe5195ef9da6f7f017f180927f771121c02e1
SSDEEP

3072:T7FTPCDwNXHwR8bOH9yE8OB7SnFTM+lmsolAIrRuw+mqv9j1MWLQM:T7FTaDwRk8b09N/7S4+lDAA

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe

Resource

win7-20240704-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe

Resource

win10v2004-20240802-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1234

143.198.208.124:1234

Attributes

Install_directory
%Temp%
install_file
XClient.exe

Targets

- Target
  
  1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe
- Size
  
  170KB
- MD5
  
  a805c895c507a30f12e39e04f55a7bf1
- SHA1
  
  1871cc40e2c48397f54d96d6be8fe07c0b615fa1
- SHA256
  
  1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba
- SHA512
  
  5b1b85a835c0d2f5253e2d421541344b1798365a8f25131f73b12df578958b257ab89d602ebff8974750dd76cf2fe5195ef9da6f7f017f180927f771121c02e1
- SSDEEP
  
  3072:T7FTPCDwNXHwR8bOH9yE8OB7SnFTM+lmsolAIrRuw+mqv9j1MWLQM:T7FTaDwRk8b09N/7S4+lDAA
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy