xworm | aa34e679921b3d50f6f0ace51bb251ce69ccbcbcc8355fa3ca3557c3e278b196 | Triage

Submit
Reports

Overview

overview

Static

static

3

SU.exe

windows10-2004-x64

Sharing

General

Target

SU.exe
Size

1.2MB
Sample

240913-qzjs1ssfnn
MD5

2a64aeb7b7cf578a9ad7be1d385d7be7
SHA1

476ebae30ae090a7d3bf9a95284beb3531136915
SHA256

aa34e679921b3d50f6f0ace51bb251ce69ccbcbcc8355fa3ca3557c3e278b196
SHA512

5bfa25235b47e0276532a21e93d7135ab9938c755d4ca1b7647dd1388ba8ed01b6f986c989bf806a939caff7154c0b36ecf78bf22f19e9b9d834e2381bcdf988
SSDEEP

24576:ikGNQ//5PPhGNV4AiaaObfIg8+KUctYM:9GNm/5XhG34AiROTb8+KUct

Score

10^/10

xworm discovery evasion execution persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SU.exe

Resource

win10v2004-20240802-en

xworm discovery evasion execution persistence rat themida trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

192.168.223.129:4935

Mutex

luKRH8HypEesQaqn

Attributes

Install_directory
%AppData%
install_file
$77.exe

aes.plain

Targets

- Target
  
  SU.exe
- Size
  
  1.2MB
- MD5
  
  2a64aeb7b7cf578a9ad7be1d385d7be7
- SHA1
  
  476ebae30ae090a7d3bf9a95284beb3531136915
- SHA256
  
  aa34e679921b3d50f6f0ace51bb251ce69ccbcbcc8355fa3ca3557c3e278b196
- SHA512
  
  5bfa25235b47e0276532a21e93d7135ab9938c755d4ca1b7647dd1388ba8ed01b6f986c989bf806a939caff7154c0b36ecf78bf22f19e9b9d834e2381bcdf988
- SSDEEP
  
  24576:ikGNQ//5PPhGNV4AiaaObfIg8+KUctYM:9GNm/5XhG34AiROTb8+KUct
Score

10^/10

xworm discovery evasion execution persistence rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryevasionexecutionpersistenceratthemidatrojan

© 2018-2025

Terms | Privacy