xworm | 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

81839d52f8...c4.exe

windows7-x64

81839d52f8...c4.exe

windows10-2004-x64

Sharing

General

Target

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
Size

9.6MB
Sample

241003-b4jw9a1hlh
MD5

dbbc877901e2a5a8c73c77b28a699960
SHA1

c4ac39e195c4c76110958801ef482ac5d1af8941
SHA256

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4
SHA512

9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da
SSDEEP

196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

Score

10^/10

xworm discovery rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe

Resource

win7-20240903-en

xworm discovery rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe

Resource

win10v2004-20240802-en

xworm rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

178.215.236.225:7000

Attributes

Install_directory
%AppData%
install_file
TaskSchedular.exe

Targets

- Target
  
  81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
- Size
  
  9.6MB
- MD5
  
  dbbc877901e2a5a8c73c77b28a699960
- SHA1
  
  c4ac39e195c4c76110958801ef482ac5d1af8941
- SHA256
  
  81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4
- SHA512
  
  9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da
- SSDEEP
  
  196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryrattrojan

behavioral2

© 2018-2025

Terms | Privacy