xworm | 6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e | Triage

Submit
Reports

Overview

overview

Static

static

1

ss cosmeti...am.bat

windows10-2004-x64

ss cosmeti...am.bat

windows11-21h2-x64

Sharing

General

Target

ss cosmeticx for gtag steam.bat
Size

294KB
Sample

241014-a8fvqatgrh
MD5

be47f172f3f7ea7f36bcc6dcb6a410f2
SHA1

8da368d5baf6a818ad6148e43a2b7f69b8a56664
SHA256

6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e
SHA512

b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d
SSDEEP

6144:Xt99Rt0+CSyli/VEb/ZOeTbaRuA6m/BvRj8UnJfDRDJkGfVD626QTLDC4uQ:XtrRtiyeNa8AOuDRDJPND6KN

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

ss cosmeticx for gtag steam.bat

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ss cosmeticx for gtag steam.bat

Resource

win11-20241007-en

xworm execution rat trojan

windows11-21h2-x64

10 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:13469

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  ss cosmeticx for gtag steam.bat
- Size
  
  294KB
- MD5
  
  be47f172f3f7ea7f36bcc6dcb6a410f2
- SHA1
  
  8da368d5baf6a818ad6148e43a2b7f69b8a56664
- SHA256
  
  6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e
- SHA512
  
  b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d
- SSDEEP
  
  6144:Xt99Rt0+CSyli/VEb/ZOeTbaRuA6m/BvRj8UnJfDRDJkGfVD626QTLDC4uQ:XtrRtiyeNa8AOuDRDJPND6KN
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy