xworm | 29bbe985c19803a61c9ca715304fa8fc510cf5fc89e0795e66c49228c21db723 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

akt.exe
Size

1.7MB
Sample

241009-vt5whstgqb
MD5

d386565f65fd215007e08b79fad52eca
SHA1

79338a5a2a7b781fac4c622ac30d651773e6d87a
SHA256

29bbe985c19803a61c9ca715304fa8fc510cf5fc89e0795e66c49228c21db723
SHA512

af7bec33430431102717e9ac6330318cddb54bc917dae83ee803b5756e6d20ae1d88144e37305d9ae693b4eba22f620a6b6763b4d8876f6aa3c0c8d5cb1e5209
SSDEEP

49152:y2EYTb8atv1orq+pEiSDTj1VyvBaJ1yHdBvAnOx30KlhY33lSYHEz/N:PXbIrq4bvAn043UYH

Score

10^/10

xworm discovery execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kribyrisk.com/b/iyyeOkT.txt

Extracted

Family

xworm

Version

5.0

C2

192.3.182.92:7006

Mutex

Aoea1E8EjOSX7FRX

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7354302040:AAGtvn7bJzaK4r9WucDxDr6yGqWpSJhoF44

aes.plain

Targets

- Target
  
  akt.exe
- Size
  
  1.7MB
- MD5
  
  d386565f65fd215007e08b79fad52eca
- SHA1
  
  79338a5a2a7b781fac4c622ac30d651773e6d87a
- SHA256
  
  29bbe985c19803a61c9ca715304fa8fc510cf5fc89e0795e66c49228c21db723
- SHA512
  
  af7bec33430431102717e9ac6330318cddb54bc917dae83ee803b5756e6d20ae1d88144e37305d9ae693b4eba22f620a6b6763b4d8876f6aa3c0c8d5cb1e5209
- SSDEEP
  
  49152:y2EYTb8atv1orq+pEiSDTj1VyvBaJ1yHdBvAnOx30KlhY33lSYHEz/N:PXbIrq4bvAn043UYH
Score

10^/10

discovery execution xworm rat spyware stealer trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

xwormdiscoveryexecutionratspywarestealertrojan