xworm | f0fe748ae439cbf48e835f24b173d1d330a91c25c22989bc27ec1f2e5f807b29 | Triage

Sharing

General

Target

f0fe748ae439cbf48e835f24b173d1d330a91c25c22989bc27ec1f2e5f807b29.exe
Size

10KB
Sample

241002-b4t28avclb
MD5

da5c14913ef42727dd9f10c3fd81c3f2
SHA1

78cbca00e80451232a78238913c8223c20f5332e
SHA256

f0fe748ae439cbf48e835f24b173d1d330a91c25c22989bc27ec1f2e5f807b29
SHA512

5a62d75ed7118b984214afd283c2feb44e313c6955184a1be4bbbe12ef86d78363783b8ff46360379df619030b7ca7d11a17c239c848136fe2f9e4b76c1cd2d4
SSDEEP

192:AzR3Qq132ohjWCX/khjnJsv0G0DLdqn/Q7jykVpTOs:EfVZhUtlG0vdqEjykV5O

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Targets

- Target
  
  f0fe748ae439cbf48e835f24b173d1d330a91c25c22989bc27ec1f2e5f807b29.exe
- Size
  
  10KB
- MD5
  
  da5c14913ef42727dd9f10c3fd81c3f2
- SHA1
  
  78cbca00e80451232a78238913c8223c20f5332e
- SHA256
  
  f0fe748ae439cbf48e835f24b173d1d330a91c25c22989bc27ec1f2e5f807b29
- SHA512
  
  5a62d75ed7118b984214afd283c2feb44e313c6955184a1be4bbbe12ef86d78363783b8ff46360379df619030b7ca7d11a17c239c848136fe2f9e4b76c1cd2d4
- SSDEEP
  
  192:AzR3Qq132ohjWCX/khjnJsv0G0DLdqn/Q7jykVpTOs:EfVZhUtlG0vdqEjykV5O
Score

10^/10

evasion trojan xworm execution persistence rat
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormevasionexecutionpersistencerattrojan