xworm

Resubmissions

02-09-2024 04:11

240902-erx5ws1ekl 10

31-08-2024 15:44

240831-s6y8dssajf 10

31-08-2024 15:41

240831-s4ytva1gph 10

31-08-2024 15:35

240831-s1fh4a1fjk 10

Sharing

Copy URL

Twitter E-mail

General

Target

XClient.exe
Size

84KB
Sample

240831-s6y8dssajf
MD5

13f12b20731a141144d59aef56828f78
SHA1

2aef63a0f584914b022ea7d039bd431fa99520b3
SHA256

28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b
SHA512

19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa
SSDEEP

1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V

Score

10^/10

Malware Config

Extracted

Family

xworm

178.215.236.68:7000

Attributes

install_file
USB.exe

Targets

- Target
  
  XClient.exe
- Size
  
  84KB
- MD5
  
  13f12b20731a141144d59aef56828f78
- SHA1
  
  2aef63a0f584914b022ea7d039bd431fa99520b3
- SHA256
  
  28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b
- SHA512
  
  19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa
- SSDEEP
  
  1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5