xworm | f89b32f063ca4ecf3aa5ae2d30d5d7bb8a1643571964e9f24ef1f079b8c69fba | Triage

Sharing

Copy URL Twitter E-mail

General

Target

aplikacja.exe
Size

33KB
Sample

240829-sm8ygszfrm
MD5

eb3e27f143eedc4ce49fb606770349cb
SHA1

fc20ee5c10922eb57fcde504f05b17a8427aee55
SHA256

f89b32f063ca4ecf3aa5ae2d30d5d7bb8a1643571964e9f24ef1f079b8c69fba
SHA512

675dbb90a4fa7c43aefd77793418befe02c51b7a0d7bf36d16d82865a6f25e3b342f12be5419f3b97ca9461d5de0982a88ff7aacf290b62b3d6fa372b5e5e4ea
SSDEEP

384:Gl+PkjD9+E5MFs7iui8L7zoM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99IkuiS:m+CD93W03F42JiB706VF49j1OjhPbN

Score

10^/10

xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lefferek-42016.portmap.host:42016

Mutex

o6LSoD6nQl6RkE3M

Attributes

install_file
USB.exe

aes.plain

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7

Targets

- Target
  
  aplikacja.exe
- Size
  
  33KB
- MD5
  
  eb3e27f143eedc4ce49fb606770349cb
- SHA1
  
  fc20ee5c10922eb57fcde504f05b17a8427aee55
- SHA256
  
  f89b32f063ca4ecf3aa5ae2d30d5d7bb8a1643571964e9f24ef1f079b8c69fba
- SHA512
  
  675dbb90a4fa7c43aefd77793418befe02c51b7a0d7bf36d16d82865a6f25e3b342f12be5419f3b97ca9461d5de0982a88ff7aacf290b62b3d6fa372b5e5e4ea
- SSDEEP
  
  384:Gl+PkjD9+E5MFs7iui8L7zoM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99IkuiS:m+CD93W03F42JiB706VF49j1OjhPbN
Score

10^/10

xworm discovery execution persistence privilege_escalation rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistenceprivilege_escalationrattrojan

behavioral2

xwormdiscoveryexecutionpersistenceprivilege_escalationrattrojan