xworm | d90764628aafd8e1ba1273d2a6f52513b27368805631b5c660dc2d2af590d837 | Triage

Sharing

General

Target

CZABypassmenu.bat
Size

385KB
Sample

241004-h9p4savhkd
MD5

a4081b4f76dc012cc7a6933130b5136d
SHA1

a8d85c7d88374fb628ce4484c3795cca3fc3660e
SHA256

d90764628aafd8e1ba1273d2a6f52513b27368805631b5c660dc2d2af590d837
SHA512

984f51f8cd96a05fe22ac362e55cc89511ede5af1d3165b139bdf365bc2c8bb825b87757552bf1a2316379c1326da6a502dcdfdb5d4be54d3f740d198b11aa54
SSDEEP

6144:E4ywd2XdIEAf+32995oVbkQDTBjkhti3gtuRhBK1bZBeHy36JCn:E4ywd4TAm3vxTTahERRLK1tULsn

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:25993

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  CZABypassmenu.bat
- Size
  
  385KB
- MD5
  
  a4081b4f76dc012cc7a6933130b5136d
- SHA1
  
  a8d85c7d88374fb628ce4484c3795cca3fc3660e
- SHA256
  
  d90764628aafd8e1ba1273d2a6f52513b27368805631b5c660dc2d2af590d837
- SHA512
  
  984f51f8cd96a05fe22ac362e55cc89511ede5af1d3165b139bdf365bc2c8bb825b87757552bf1a2316379c1326da6a502dcdfdb5d4be54d3f740d198b11aa54
- SSDEEP
  
  6144:E4ywd2XdIEAf+32995oVbkQDTBjkhti3gtuRhBK1bZBeHy36JCn:E4ywd4TAm3vxTTahERRLK1tULsn
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan