xworm | 586f84f00057a75fbfd0f4db886702e67de05d30a17f1ab576c4ee07fbdb73fd | Triage

Sharing

Copy URL Twitter E-mail

General

Target

586f84f00057a75fbfd0f4db886702e67de05d30a17f1ab576c4ee07fbdb73fd.ps1
Size

326KB
Sample

240925-b9ngma1bld
MD5

27d20bdda6494c73a24bae16d3568c1d
SHA1

77ba6a6c44fdd920579f91a5ee37bfa2c7d494a0
SHA256

586f84f00057a75fbfd0f4db886702e67de05d30a17f1ab576c4ee07fbdb73fd
SHA512

f1d954fe930890e74874eff35ac217cca2274a7ce693522724dc74b38bcb6810f5fad91023843d489ba6ad83a8aedc2e0020ec964449f73ca662a6f2c24e0608
SSDEEP

3072:16CA55HWty5Hh4LhC8D60U4h3mSuoTUfWwLC5ImBK5W9Fp81fABAUvetcTnZj:sV5H1Hh4LhC8zTUOwqYyfbZ

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

wireoff.work.gd:7000

Mutex

M1ckbLXGiMXwWvIS

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  586f84f00057a75fbfd0f4db886702e67de05d30a17f1ab576c4ee07fbdb73fd.ps1
- Size
  
  326KB
- MD5
  
  27d20bdda6494c73a24bae16d3568c1d
- SHA1
  
  77ba6a6c44fdd920579f91a5ee37bfa2c7d494a0
- SHA256
  
  586f84f00057a75fbfd0f4db886702e67de05d30a17f1ab576c4ee07fbdb73fd
- SHA512
  
  f1d954fe930890e74874eff35ac217cca2274a7ce693522724dc74b38bcb6810f5fad91023843d489ba6ad83a8aedc2e0020ec964449f73ca662a6f2c24e0608
- SSDEEP
  
  3072:16CA55HWty5Hh4LhC8D60U4h3mSuoTUfWwLC5ImBK5W9Fp81fABAUvetcTnZj:sV5H1Hh4LhC8zTUOwqYyfbZ
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan