xworm | 9eb00c37db0331a7a0ef2056bda5ffe8fde8d812f4d3f8b54f278ba041cfd2a0 | Triage

Sharing

General

Target

order_receipt#277.vbs
Size

138KB
Sample

241029-xw995axkf1
MD5

e845c7177b3fbef4bacea00df938bc28
SHA1

af8f1912ee1d5e2daa119d52537fc09a8316aa4d
SHA256

9eb00c37db0331a7a0ef2056bda5ffe8fde8d812f4d3f8b54f278ba041cfd2a0
SHA512

85c0b69a7f3b615b0796f882620d40c4bc5b8f79b3adffc11cee3b08085879f55c78c81a65671c2701139d4c68c39b27178730241be00a0054c37809936b0043
SSDEEP

1536:Qyb8Rgt5pzGGwEM9cW/9WoOv5xvX7Nvx48bOAobVHL3x:QybOgt5pCGwEM/FWXvnLNvxrbO3bVr3x

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

xworm

Version

5.0

Mutex

aq3Fac3Pq9GHgZuk

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/juxAi7cy

aes.plain

Targets

- Target
  
  order_receipt#277.vbs
- Size
  
  138KB
- MD5
  
  e845c7177b3fbef4bacea00df938bc28
- SHA1
  
  af8f1912ee1d5e2daa119d52537fc09a8316aa4d
- SHA256
  
  9eb00c37db0331a7a0ef2056bda5ffe8fde8d812f4d3f8b54f278ba041cfd2a0
- SHA512
  
  85c0b69a7f3b615b0796f882620d40c4bc5b8f79b3adffc11cee3b08085879f55c78c81a65671c2701139d4c68c39b27178730241be00a0054c37809936b0043
- SSDEEP
  
  1536:Qyb8Rgt5pzGGwEM9cW/9WoOv5xvX7Nvx48bOAobVHL3x:QybOgt5pCGwEM/FWXvnLNvxrbO3bVr3x
Score

10^/10

discovery execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

xwormdiscoveryexecutionrattrojan