xworm | 1ab3ff2824b6f74e483449230b9f9ccf1c4ef45b787ab2753c1648c9c32a7b5c | Triage

Submit
Reports

Overview

overview

Static

static

1

android-ev...d.html

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

android-evon-mobile-executor-roblox-download
Size

9KB
Sample

241011-1f2vlazdlr
MD5

7f8ee050d779dd287baec89600d7c92d
SHA1

0757aad5e1e59d165b3b335cb630c1c77e6c177e
SHA256

1ab3ff2824b6f74e483449230b9f9ccf1c4ef45b787ab2753c1648c9c32a7b5c
SHA512

02c2041ce5cd33671ba53f5d6cf272debd45928c8b5ca93f4b8eb62a9203117504af10c2a1c1de031cb739007271e1210de79f89d0135e18f71ba00f23ff0dd3
SSDEEP

192:PN2x2BMup0UJklqjKYzCAoDqkvKa5z73FzysN:AxpuKOkMjVNoGMftBTN

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

android-evon-mobile-executor-roblox-download.html

Resource

win10v2004-20241007-en

xworm defense_evasion discovery execution rat trojan

windows10-2004-x64

29 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

Version

3.0

C2

mini-jungle.at.ply.gg:3499

Attributes

install_file
USB.exe

Targets

- Target
  
  android-evon-mobile-executor-roblox-download
- Size
  
  9KB
- MD5
  
  7f8ee050d779dd287baec89600d7c92d
- SHA1
  
  0757aad5e1e59d165b3b335cb630c1c77e6c177e
- SHA256
  
  1ab3ff2824b6f74e483449230b9f9ccf1c4ef45b787ab2753c1648c9c32a7b5c
- SHA512
  
  02c2041ce5cd33671ba53f5d6cf272debd45928c8b5ca93f4b8eb62a9203117504af10c2a1c1de031cb739007271e1210de79f89d0135e18f71ba00f23ff0dd3
- SSDEEP
  
  192:PN2x2BMup0UJklqjKYzCAoDqkvKa5z73FzysN:AxpuKOkMjVNoGMftBTN
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy