xworm | f46b3855107a51e31315403e355801a1acf6cb80fe3109fa2c1d479187e77e17 | Triage

Submit
Reports

Overview

overview

Static

static

expensive.exe

windows10-1703-x64

Sharing

Copy URL Twitter E-mail

General

Target

expensive.exe
Size

77KB
Sample

240823-wxjm5ayeqg
MD5

998b39330740867ac8c6caf7223a8810
SHA1

c7b6233aea54a9b552e76dcea65c7ad9bd73aadf
SHA256

f46b3855107a51e31315403e355801a1acf6cb80fe3109fa2c1d479187e77e17
SHA512

a78da51a9198c641fc215b0e7ae643b564100cce0e5b2abd325a152a4477027af3e78dc362989ffc8075a2544cab9e8f111c63a2a5c1244a8693bd039c3b5ad0
SSDEEP

1536:wC49pWSOaKy7GA/QqyGpfD5C6WbfxPgqupiF6n5xGOuePaYK:s/Wf8/zyGpf96bfJg6g5xGOpP3K

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

expensive.exe

Resource

win10-20240404-en

xworm discovery execution persistence rat trojan

windows10-1703-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:17570

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  expensive.exe
- Size
  
  77KB
- MD5
  
  998b39330740867ac8c6caf7223a8810
- SHA1
  
  c7b6233aea54a9b552e76dcea65c7ad9bd73aadf
- SHA256
  
  f46b3855107a51e31315403e355801a1acf6cb80fe3109fa2c1d479187e77e17
- SHA512
  
  a78da51a9198c641fc215b0e7ae643b564100cce0e5b2abd325a152a4477027af3e78dc362989ffc8075a2544cab9e8f111c63a2a5c1244a8693bd039c3b5ad0
- SSDEEP
  
  1536:wC49pWSOaKy7GA/QqyGpfD5C6WbfxPgqupiF6n5xGOuePaYK:s/Wf8/zyGpf96bfJg6g5xGOpP3K
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy