xworm | cd9afdef9b69b501d2767b70792a481f1c768ba3585a53de167703fe250ab2b4 | Triage

Submit
Reports

Overview

overview

Static

static

3

XBASS.exe

windows7-x64

XBASS.exe

windows10-2004-x64

Sharing

General

Target

cd9afdef9b69b501d2767b70792a481f1c768ba3585a53de167703fe250ab2b4
Size

380KB
Sample

241031-vrtqga1gqg
MD5

04ac6e542ab1da8613a95d2ba96ea42c
SHA1

9ebeb2b6202298943f9af83c7d21770573b0051a
SHA256

cd9afdef9b69b501d2767b70792a481f1c768ba3585a53de167703fe250ab2b4
SHA512

26d7c28b31099f401280b05b261ef93aae34288bec0e3ec98dbc2de68a3d447e9be175073988bcfdd694c04fc680dab33febac1c21af2741830c8f9218e4774a
SSDEEP

6144:+QIdxXoTEXCwa9c8Ls28E9DUzymHe2gKGZ66Db13Zc7tNvo2fVHY5E1Cj+BzsJnY:+Q4xXoTEXCwOHkVzle2FYbFo02fVGEH7

Score

10^/10

xworm discovery evasion execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

XBASS.exe

Resource

win7-20240903-en

xworm discovery evasion execution rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

XBASS.exe

Resource

win10v2004-20241007-en

xworm discovery evasion execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

savelat19847.duckdns.org:7000

Mutex

69DII5G7d5Uac5Kb

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  XBASS.exe
- Size
  
  1.5MB
- MD5
  
  638e5f44f917de3b3b3473aafbde50b1
- SHA1
  
  8f48986374bcac52c2df6268bc0456864bbca12f
- SHA256
  
  7a0edc7a5d067e8df9bf44c4ef85d0e0bd9b4ae09a4569737480d1ca861f05e1
- SHA512
  
  62f916f131c65096c91c1674ed85e2903648f2c1772e785cc34d1bb9c40bb0126f0e3e1a3c0eb5e670d567a57db27af71fcb45658d38ee9c28792ce89256c637
- SSDEEP
  
  12288:jm6xXKTEXCwEapqeQYl+3e+C6HLn0E7C6P/:ZK4xqepl+3Vb00C6P/
Score

10^/10

xworm discovery evasion execution rat trojan
- Detect Xworm Payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryevasionexecutionrattrojan

behavioral2

xwormdiscoveryevasionexecutionrattrojan

© 2018-2025

Terms | Privacy