xworm | 8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd | Triage

Sharing

General

Target

8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd.js
Size

1.4MB
Sample

241002-btjthatgkb
MD5

3094dc3bf3dacc07b7ae62e6cb53e02d
SHA1

7ff5441adf6b751704534c979046d5698dfdfdb1
SHA256

8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
SHA512

48ba866defc3f817f8f043908eba4d8eec59d4f9af82c16184c95040c5d099c199999365f86d39619bd1c90e19d4a35f9f0b7292ff50ab1e69f161f363c46aab
SSDEEP

1536:u3BYP+9LHqamUMgVSnD5MOUbsNZoxOhjPFi/nZky:aM+9jDWgVSnD5QQNZDhjdi/1

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

kizitodavina.duckdns.org:8645

Mutex

oTbTivRCYmlY7umi

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd.js
- Size
  
  1.4MB
- MD5
  
  3094dc3bf3dacc07b7ae62e6cb53e02d
- SHA1
  
  7ff5441adf6b751704534c979046d5698dfdfdb1
- SHA256
  
  8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
- SHA512
  
  48ba866defc3f817f8f043908eba4d8eec59d4f9af82c16184c95040c5d099c199999365f86d39619bd1c90e19d4a35f9f0b7292ff50ab1e69f161f363c46aab
- SSDEEP
  
  1536:u3BYP+9LHqamUMgVSnD5MOUbsNZoxOhjPFi/nZky:aM+9jDWgVSnD5QQNZDhjdi/1
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

behavioral2

xwormdiscoveryexecutionpersistencerattrojan