xworm | a17456d92d96f3fa579828f04e0530bf650eb92baf68bc414f101f6656c01cda | Triage

Submit
Reports

Overview

overview

Static

static

3

DeadPayload.exe

windows10-2004-x64

Sharing

General

Target

DeadPayload.exe
Size

500KB
Sample

241031-xnjr7s1jbz
MD5

4dbebfa079ea4b45eb94e2843180c56b
SHA1

820487493a6845752041ca9e0f714025c9eda4bc
SHA256

a17456d92d96f3fa579828f04e0530bf650eb92baf68bc414f101f6656c01cda
SHA512

b347ac5f39440fad010c8c8e715fb293967ae08b43cf246ea09b328b00a4f35ea6a251e432ad6c26901fb5db8936c57f370df321ae86cb8180e5aee2de57574b
SSDEEP

12288:N3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdN:dkGTy

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

DeadPayload.exe

Resource

win10v2004-20241007-en

xworm discovery execution rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QgVg78qW15uIsQ4H

Attributes

Install_directory
%Public%
install_file
ohh.exe
pastebin_url
https://pastebin.com/raw/J09JweeH

aes.plain

Targets

- Target
  
  DeadPayload.exe
- Size
  
  500KB
- MD5
  
  4dbebfa079ea4b45eb94e2843180c56b
- SHA1
  
  820487493a6845752041ca9e0f714025c9eda4bc
- SHA256
  
  a17456d92d96f3fa579828f04e0530bf650eb92baf68bc414f101f6656c01cda
- SHA512
  
  b347ac5f39440fad010c8c8e715fb293967ae08b43cf246ea09b328b00a4f35ea6a251e432ad6c26901fb5db8936c57f370df321ae86cb8180e5aee2de57574b
- SSDEEP
  
  12288:N3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdN:dkGTy
Score

10^/10

xworm discovery execution rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy