xworm | e0f8da5010a1162b1480daec57e3d2122a3f4fc7ab89797fb75536729f7fb7d7 | Triage

Submit
Reports

Overview

overview

Static

static

2024091916...ar.exe

windows7-x64

2024091916...ar.exe

windows10-2004-x64

Sharing

General

Target

202409191600d925862ef753288750008ec0517chiddentear
Size

140KB
Sample

240919-h11h6awgnd
MD5

1600d925862ef753288750008ec0517c
SHA1

19d690bb3bd6e9e2a4ae3704ed5eba5c6295996d
SHA256

e0f8da5010a1162b1480daec57e3d2122a3f4fc7ab89797fb75536729f7fb7d7
SHA512

4828feeb01daadd4f7f39a70814c6da727ca0f71a3e4a25b0ea9ddafc604d8ad2a1300c22490fc68ddd15eb325f99dba0e85a612e0ead4455af2f31116d218e7
SSDEEP

3072:/esDcUBEg9YKM+lmsolAIrRuw+mqv9j1MWLQd:/ZBEg9o+lDAA

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

202409191600d925862ef753288750008ec0517chiddentear.exe

Resource

win7-20240903-en

xworm persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

202409191600d925862ef753288750008ec0517chiddentear.exe

Resource

win10v2004-20240802-en

xworm persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

week-media.gl.at.ply.gg:28685

Mutex

k1CSgYnNfhE66GJj

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  202409191600d925862ef753288750008ec0517chiddentear
- Size
  
  140KB
- MD5
  
  1600d925862ef753288750008ec0517c
- SHA1
  
  19d690bb3bd6e9e2a4ae3704ed5eba5c6295996d
- SHA256
  
  e0f8da5010a1162b1480daec57e3d2122a3f4fc7ab89797fb75536729f7fb7d7
- SHA512
  
  4828feeb01daadd4f7f39a70814c6da727ca0f71a3e4a25b0ea9ddafc604d8ad2a1300c22490fc68ddd15eb325f99dba0e85a612e0ead4455af2f31116d218e7
- SSDEEP
  
  3072:/esDcUBEg9YKM+lmsolAIrRuw+mqv9j1MWLQd:/ZBEg9o+lDAA
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy