xworm | bcec20dcac1cf510c5e55e385ec84a26e93d7bda60fd4163708eba9f1e52849c | Triage

Submit
Reports

Overview

overview

Static

static

3

Oauth-join...ed.exe

windows7-x64

Oauth-join...ed.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Oauth-joiner-cleaned.exe
Size

77.2MB
Sample

241008-1l2f1szckl
MD5

1b29b3bcde010f603e64237893f49de1
SHA1

f06437d63f55947d8de099b9e6687e205cfcd82b
SHA256

bcec20dcac1cf510c5e55e385ec84a26e93d7bda60fd4163708eba9f1e52849c
SHA512

447ceb3be33a12705a663749a0d9259b7d411f5b6774c8ccd8abd3704a70a542b311a68a5903a4b44a25210748bdc233881ce46c696122310f0820262df84d63
SSDEEP

1572864:ScPlC4hahF/gk98Vb7NL5z1ZLWNmfpee7ycbGrswIG6UiYxDVbWbs4a6m:SqLq5ynMe7fKr7rxjWV

Score

10^/10

xworm evasion execution persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Oauth-joiner-cleaned.exe

Resource

win7-20240903-en

xworm rat trojan upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Oauth-joiner-cleaned.exe

Resource

win10v2004-20241007-en

xworm evasion execution persistence rat trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4570

detailed-programming.gl.at.ply.gg:4570

Attributes

Install_directory
%ProgramData%
install_file
system.exe
telegram
https://api.telegram.org/bot7393663220:AAEX8TwRx5_ZYBB3p82LVgycXEx7HdlFl3w/sendMessage?chat_id=7667501293

Targets

- Target
  
  Oauth-joiner-cleaned.exe
- Size
  
  77.2MB
- MD5
  
  1b29b3bcde010f603e64237893f49de1
- SHA1
  
  f06437d63f55947d8de099b9e6687e205cfcd82b
- SHA256
  
  bcec20dcac1cf510c5e55e385ec84a26e93d7bda60fd4163708eba9f1e52849c
- SHA512
  
  447ceb3be33a12705a663749a0d9259b7d411f5b6774c8ccd8abd3704a70a542b311a68a5903a4b44a25210748bdc233881ce46c696122310f0820262df84d63
- SSDEEP
  
  1572864:ScPlC4hahF/gk98Vb7NL5z1ZLWNmfpee7ycbGrswIG6UiYxDVbWbs4a6m:SqLq5ynMe7fKr7rxjWV
Score

10^/10

xworm rat trojan upx evasion execution persistence
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Enumerates VirtualBox DLL files
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

File and Directory Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormrattrojanupx

behavioral2

xwormevasionexecutionpersistencerattrojanupx

© 2018-2025

Terms | Privacy