xworm | 829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

SynZ.zip

windows11-21h2-x64

Resubmissions

29/08/2024, 01:09

240829-bh6twswdkf 10

29/08/2024, 01:06

240829-bgdrqawcke 3

Sharing

General

Target

SynZ.zip
Size

51KB
Sample

240829-bh6twswdkf
MD5

b23eb8982c76332c7da86e438f37e390
SHA1

81552549673b96a88ae76eca202f25df1fae912a
SHA256

829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271
SHA512

93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163
SSDEEP

1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

SynZ.zip

Resource

win11-20240802-en

xworm discovery execution persistence rat trojan

windows11-21h2-x64

23 signatures

600 seconds

Malware Config

Extracted

Family

xworm

C2

one-qualified.gl.at.ply.gg:61458

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  SynZ.zip
- Size
  
  51KB
- MD5
  
  b23eb8982c76332c7da86e438f37e390
- SHA1
  
  81552549673b96a88ae76eca202f25df1fae912a
- SHA256
  
  829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271
- SHA512
  
  93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163
- SSDEEP
  
  1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy