xworm | bc52fd4f33693de583c71f980d5b61ec2991ffdb915da00d2b52eec109ef1b17 | Triage

Submit
Reports

Overview

overview

Static

static

1

LIST.ITEMS.exe

windows7-x64

LIST.ITEMS.exe

windows10-2004-x64

Sharing

General

Target

bc52fd4f33693de583c71f980d5b61ec2991ffdb915da00d2b52eec109ef1b17
Size

428KB
Sample

241031-tg4x1s1fmm
MD5

fe30074034015e24ef8e0e4e2305383b
SHA1

aed3115c8d403e8edbde539786524a5bf166fd5b
SHA256

bc52fd4f33693de583c71f980d5b61ec2991ffdb915da00d2b52eec109ef1b17
SHA512

902944eaecdddf441e9dc360aafdd1eea4d02c294203a2405528e766a0d2b234591bd21092f9139348c695498d886ca97dee830b5d5b29a0193eabc406ce8108
SSDEEP

12288:w2x+xZf8ViBo/DGt1u85/qCkE33Rf9RYmllX7jQQ53:w2x410rI1CCHnRf9HHkQ

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

LIST.ITEMS.exe

Resource

win7-20240708-en

xworm discovery execution rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

LIST.ITEMS.exe

Resource

win10v2004-20241007-en

xworm discovery execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

savelat19847.duckdns.org:7000

Mutex

sL1COlJF2Dst73el

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  LIST.ITEMS.exe
- Size
  
  556KB
- MD5
  
  d7c03169dbdd363163dbfc5119738c61
- SHA1
  
  e51f6fe9f9422c054d7b33e949981239ef3355eb
- SHA256
  
  c304f5610e7059e7eb2100f0de1e6c1bbeeaa75d746f75e3561eee5b7fb0ac92
- SHA512
  
  bbf5eba23c466a478ec381c127a70fc8e1ca7e0b744cf89606341df918b2d40c5c71f29a1f19532c5a83f886e75393e3744d9ae4f4b9862af22d08e596978dec
- SSDEEP
  
  12288:qI/rXQ9TZwetjcQaBJLJ/yd4bIhX3KVaV910N4VtndapxbzVykR:/atjdSJ/HIhHKa9GNitApVzr
Score

10^/10

xworm discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionrattrojan

behavioral2

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy