xworm | d538155f9d03a9109f09d716733bba969677f569171852afabad28993d6b5dde | Triage

Sharing

General

Target

d538155f9d03a9109f09d716733bba969677f569171852afabad28993d6b5dde.exe
Size

46KB
Sample

241002-b2evhs1bpl
MD5

a66e7a2216c3bbea30a25a82acff1022
SHA1

472c1c23e1444f595791bbd53b8d2619250ae727
SHA256

d538155f9d03a9109f09d716733bba969677f569171852afabad28993d6b5dde
SHA512

419655c5063b080be51e266ed5281ec97593de47d9fbdd998b7b2e58bea0f414d0725a127deeb8ae18d56aeed8c1650d5b508b6eef7aa77782e5f4a9657fd564
SSDEEP

768:6oCKLEXpREtWHWqXTst7IOL6jiAYHyvj7dehVQdIwHzEypFYeuoGAto6hlUcuW1R:KPKoz

Score

10^/10

xworm dropper evasion execution persistence rat trojan

Malware Config

Targets

- Target
  
  d538155f9d03a9109f09d716733bba969677f569171852afabad28993d6b5dde.exe
- Size
  
  46KB
- MD5
  
  a66e7a2216c3bbea30a25a82acff1022
- SHA1
  
  472c1c23e1444f595791bbd53b8d2619250ae727
- SHA256
  
  d538155f9d03a9109f09d716733bba969677f569171852afabad28993d6b5dde
- SHA512
  
  419655c5063b080be51e266ed5281ec97593de47d9fbdd998b7b2e58bea0f414d0725a127deeb8ae18d56aeed8c1650d5b508b6eef7aa77782e5f4a9657fd564
- SSDEEP
  
  768:6oCKLEXpREtWHWqXTst7IOL6jiAYHyvj7dehVQdIwHzEypFYeuoGAto6hlUcuW1R:KPKoz
Score

10^/10

dropper execution xworm evasion persistence rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Download via BitsAdmin
  dropper
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

BITS Jobs

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

BITS Jobs

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

dropperexecution

behavioral2

xwormdropperevasionexecutionpersistencerattrojan