xworm | 2bd945e6fe787e53fe1d31e804e5e6d26aa9d249dd352eefe0a06e730a2e3196 | Triage

Submit
Reports

Overview

overview

Static

static

1

OSINT.bat

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

OSINT.bat
Size

400KB
Sample

240921-x5ke3azakp
MD5

cda6302e5a398269ffa2346d5ba30735
SHA1

6959b2df8f9d74f2ebda4791c62f152ce2ba1078
SHA256

2bd945e6fe787e53fe1d31e804e5e6d26aa9d249dd352eefe0a06e730a2e3196
SHA512

874ab267b8ecfa1b87fad51b6ec2898dc421ebc5e1ac69768cdc694f68c0507a92b693264724267add060d6fd5d08ae2504c3498c2b0eca6d0a9f70fa507a59c
SSDEEP

6144:syqlkA6Z/v4KGoNvZXp4TuYlSMGPrVfvjT2K3+EUv2TiYwWebDcuSJ8kuy5PYQSn:Ylr6dKoNlp4TuYU9TZSv2uGWy5wnmK

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

OSINT.bat

Resource

win10v2004-20240802-en

xworm defense_evasion execution persistence rat trojan

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

press-pairs.gl.at.ply.gg:50154

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  OSINT.bat
- Size
  
  400KB
- MD5
  
  cda6302e5a398269ffa2346d5ba30735
- SHA1
  
  6959b2df8f9d74f2ebda4791c62f152ce2ba1078
- SHA256
  
  2bd945e6fe787e53fe1d31e804e5e6d26aa9d249dd352eefe0a06e730a2e3196
- SHA512
  
  874ab267b8ecfa1b87fad51b6ec2898dc421ebc5e1ac69768cdc694f68c0507a92b693264724267add060d6fd5d08ae2504c3498c2b0eca6d0a9f70fa507a59c
- SSDEEP
  
  6144:syqlkA6Z/v4KGoNvZXp4TuYlSMGPrVfvjT2K3+EUv2TiYwWebDcuSJ8kuy5PYQSn:Ylr6dKoNlp4TuYU9TZSv2uGWy5wnmK
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy