xworm | a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362 | Triage

Sharing

General

Target

XClient3.bat
Size

264KB
Sample

241002-bnkhvazdlr
MD5

96bc4a2abe18426797c6c63b05b275b3
SHA1

0cdcf4d9b03ff0624f2ac8793a5fa315a98d4e16
SHA256

a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362
SHA512

28ca089ac3bfbe21b9c37c20c347ad68da03c65e1687674b0a437cacfdc59d737576c12149f3b903588d3b50aab71c185e0ec36a0831ba0398b9f56fa52e28e6
SSDEEP

6144:6G98bC57ublkrWd3leRpXteJsPYAifRaqKEdd8E:9D57uZ4s3lgNwA8db8E

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:47628

employment-celebs.gl.at.ply.gg:47628

Mutex

UrZFZ6UDLpSiVpzn

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  XClient3.bat
- Size
  
  264KB
- MD5
  
  96bc4a2abe18426797c6c63b05b275b3
- SHA1
  
  0cdcf4d9b03ff0624f2ac8793a5fa315a98d4e16
- SHA256
  
  a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362
- SHA512
  
  28ca089ac3bfbe21b9c37c20c347ad68da03c65e1687674b0a437cacfdc59d737576c12149f3b903588d3b50aab71c185e0ec36a0831ba0398b9f56fa52e28e6
- SSDEEP
  
  6144:6G98bC57ublkrWd3leRpXteJsPYAifRaqKEdd8E:9D57uZ4s3lgNwA8db8E
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan