xworm | 8b727dffabda06723791acd0d96cbf04abdd8fd37c88fd98108f6745c49ee03b | Triage

Sharing

General

Target

8b727dffabda06723791acd0d96cbf04abdd8fd37c88fd98108f6745c49ee03b.js
Size

11KB
Sample

240923-v8vdbsvejn
MD5

2453ab0c14a3588a2d51493c1f93ca2e
SHA1

43cce83b933888b0c9ff11f16c91f41798f3aa2a
SHA256

8b727dffabda06723791acd0d96cbf04abdd8fd37c88fd98108f6745c49ee03b
SHA512

063912d001627c2e20d94bea2009e946bfa9eb332d1e35fe5daa9fb21919e14732b87a774e0dfc2e5dee53952510050a8c0038e7cebc9ffced5f0dcfe2c1587c
SSDEEP

192:D1awy9Hcu1ANhCI7gRw8nqoph72IfCDcvkcMNhCIhCrG7ckMNNXEdyn40coIzcsj:D2RcumNMkwwToph72IqDcscMNMPrG7iQ

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

xworm

Version

5.0

C2

yoda2024.sytes.net:43831

Mutex

J4rIgEZp1s66p2yZ

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  8b727dffabda06723791acd0d96cbf04abdd8fd37c88fd98108f6745c49ee03b.js
- Size
  
  11KB
- MD5
  
  2453ab0c14a3588a2d51493c1f93ca2e
- SHA1
  
  43cce83b933888b0c9ff11f16c91f41798f3aa2a
- SHA256
  
  8b727dffabda06723791acd0d96cbf04abdd8fd37c88fd98108f6745c49ee03b
- SHA512
  
  063912d001627c2e20d94bea2009e946bfa9eb332d1e35fe5daa9fb21919e14732b87a774e0dfc2e5dee53952510050a8c0038e7cebc9ffced5f0dcfe2c1587c
- SSDEEP
  
  192:D1awy9Hcu1ANhCI7gRw8nqoph72IfCDcvkcMNhCIhCrG7ckMNNXEdyn40coIzcsj:D2RcumNMkwwToph72IqDcscMNMPrG7iQ
Score

10^/10

execution xworm defense_evasion discovery persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdefense_evasiondiscoveryexecutionpersistencerattrojan