xworm | f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3 | Triage

Sharing

General

Target

f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe
Size

62KB
Sample

241002-b4wwtavclf
MD5

b21ab710ce4e60b33dcd3bdb128c8818
SHA1

3b7ba2407fa8b0f6efe28b1f94862a19395433bf
SHA256

f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3
SHA512

694c5216fb5f590cd5544fcbba6c3374b97254ce68c51316ac2eebd32192228222be52018fb6b51c20d1c20dbf20e5bf65a92955436940e61de68ee1a45f5547
SSDEEP

768:iaG6Z0e6xt0HFeDTmAE1paSfU4Z+Klg51FlJK1VY3iIrJlKxVo4ttWLAZn:iaG6Ct0iER9+KiDJAY3iIF8ro47WLy

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Targets

- Target
  
  f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe
- Size
  
  62KB
- MD5
  
  b21ab710ce4e60b33dcd3bdb128c8818
- SHA1
  
  3b7ba2407fa8b0f6efe28b1f94862a19395433bf
- SHA256
  
  f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3
- SHA512
  
  694c5216fb5f590cd5544fcbba6c3374b97254ce68c51316ac2eebd32192228222be52018fb6b51c20d1c20dbf20e5bf65a92955436940e61de68ee1a45f5547
- SSDEEP
  
  768:iaG6Z0e6xt0HFeDTmAE1paSfU4Z+Klg51FlJK1VY3iIrJlKxVo4ttWLAZn:iaG6Ct0iER9+KiDJAY3iIF8ro47WLy
Score

10^/10

evasion execution trojan xworm persistence rat
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutiontrojan

behavioral2

xwormevasionexecutionpersistencerattrojan