xworm

Sharing

Copy URL Twitter E-mail

General

Target

ZoraraNew.rar
Size

153KB
Sample

241003-tw5svsvdll
MD5

9a058ba55a29613a45048fd28b86d931
SHA1

b167ca2181d57dd3b6c43936035459940496b2f1
SHA256

6ab5af954fad44c3ba803ac67646f895f45ecb7a4403a59a50e12b425b0dd8ff
SHA512

1028a65955ef2cbcbcf96c94bd4fb10460ab69369db8ef776f1bbc681eed034602deb25ce085455682319a4add08c60a91471c1d1f1dda16cbd87be597551aad
SSDEEP

3072:CAqMwKUqLdPKa9zLQNAlnurS1K2zqvz7LHjaRFbNwi8S+:CVzKUuyZNUl1VaHcFbNwNS+

Score

10^/10

Malware Config

Extracted

Family

xworm

21.ip.gl.ply.gg:56728

Attributes

Install_directory
%AppData%
install_file
msedgeTaskView2.exe

Targets

- Target
  
  ZoraraNew.rar
- Size
  
  153KB
- MD5
  
  9a058ba55a29613a45048fd28b86d931
- SHA1
  
  b167ca2181d57dd3b6c43936035459940496b2f1
- SHA256
  
  6ab5af954fad44c3ba803ac67646f895f45ecb7a4403a59a50e12b425b0dd8ff
- SHA512
  
  1028a65955ef2cbcbcf96c94bd4fb10460ab69369db8ef776f1bbc681eed034602deb25ce085455682319a4add08c60a91471c1d1f1dda16cbd87be597551aad
- SSDEEP
  
  3072:CAqMwKUqLdPKa9zLQNAlnurS1K2zqvz7LHjaRFbNwi8S+:CVzKUuyZNUl1VaHcFbNwNS+
Score

3^/10
behavioral1 behavioral2
- Target
  
  Zorara.deps.json
- Size
  
  410B
- MD5
  
  fbea22e2c20296a8fbc30ef1a2ea3aaf
- SHA1
  
  7aac9907cb88da54dee3cf853e15f0e452ca74e1
- SHA256
  
  4643b216ffa7e0f78e30b360167203a8f45c466e4b48bf95a01d035d6b1277d4
- SHA512
  
  0c91553d04666ea71f7099ce13cae70fd5b38643b513b36973dfe115ce4c563a4c60958db718c4025814d7be9131857658f0930a9da3f0c137f5557c24c2fee2
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Zorara.dll
- Size
  
  6KB
- MD5
  
  0901b58f82d70c1fe62a4f99db1468f9
- SHA1
  
  bb0ed03b69e9943f7cc6f7dd484e7c6bcfc56dc8
- SHA256
  
  251142e882b94230f6c732c6977b91651af2f202fa466a38d08762d5fbde37f5
- SHA512
  
  7a6c15b9986d66eb94df799f9de2330cf700ec99a49778d7e964f9d62338ff631c0b5edfdddb2ec312c61cbad419b799058c40371b9242e47412eda98acb04ec
- SSDEEP
  
  96:gQ1yAup6Sy+xdH7+CLomj1aw2x57uwuV6u2HzNt:gQ1+Q7+xdbx0mZ7FcR
Score

1^/10
behavioral5 behavioral6
- Target
  
  Zorara.exe
- Size
  
  147KB
- MD5
  
  bfb4c308bdfdf298979345b4c22792ec
- SHA1
  
  10970876f2867a0ca5e2145966101fee099dcc91
- SHA256
  
  ee67a8c95ff5bd9d5a3362a492cd6aebe82d771cccde433251d74988f53db7aa
- SHA512
  
  3271aba4b79d48700d23183eefa0ed3b561a71233f15f36f62b6ca71aa6a58a2c0610226c975d8b58f6c68af8245b733fefdea5c7b147de431fd275990c829d5
- SSDEEP
  
  3072:K5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4FULCGo/:KBKjK2LFzZNf+UL3
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  Zorara.pdb
- Size
  
  10KB
- MD5
  
  bde988aff82cd920f1d62d88c08045a7
- SHA1
  
  06ac641549e9bade7cdf67662f642d79817118fe
- SHA256
  
  1a960aca3dd9abb31a3578f18a65cf575568762fb303e508538317458c8c2b67
- SHA512
  
  30369176c055a2a16c7eb17850f321909e37b90b1746e24936cdd8c00f2064d0c8c7c1e6f05a593291cb4955ae053fbc5eef4340c6c40fbd857f16300a652f26
- SSDEEP
  
  192:EMxMLNcXxQ4WYc7ea1QzIwBvxj36gHB92lgIAKLwQBttn4sfM79GXpGGUHAfcN5h:Ed4WYc7ea1QzIwBvxj36gHbUgn2Btt43
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Zorara.runtimeconfig.json
- Size
  
  147B
- MD5
  
  accb867d1022208b6244a1504ad61c6e
- SHA1
  
  5028ba7f3503486654cacad0d327e9c18fde0de3
- SHA256
  
  f03c65b081ae722b8c7e574c583688d95ee15b246a6bf5c9a79cb496cbd27583
- SHA512
  
  836d5ae174248a0ee72c29a10e9681a0198e5a965ee16eb0b61049b32e3781b6a63c611952765eeb2ad8f2731f42a8883a3db215c40c526b52158b715ee82c76
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  assets/msedge_webVirtual2.exe
- Size
  
  183KB
- MD5
  
  5183e93ff89a194455c584b4714d835a
- SHA1
  
  4ad90b8b64ca43bfe813631356f93586bd4dffcc
- SHA256
  
  7eef3bc5dfed1d1928be64d0c5f02b400961eb1ae1fe05cb58266926a5bb60e5
- SHA512
  
  83545dcea1426cae6461c1cda4077222aeb2b41dfcc0c4211d19cc0b9fd52bf4a0b8c4f6db107bb9c3cc67e8142aeefeedec65f3ba2b715a8fb4dc21ab0dff56
- SSDEEP
  
  3072:G5zIDIXrMGEBb+6kbb3xopOvM+JXRUGKXs+S++7KFSbxeY+qDDrMR:G5zIDIXrMb+LbBZwGqStKEbxI
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13 behavioral14