xworm | 810b933a5e1fb68b73f42193aae5565baf7194f970c4b773abb0b826bf6dd5a4 | Triage

Sharing

General

Target

sp00ferv2.exe
Size

32KB
Sample

241101-xbzmwsslas
MD5

75714244c70d64941cd7e0f6d609afd8
SHA1

e478e0ea903af8e38b47a29f4023c50774d7830c
SHA256

810b933a5e1fb68b73f42193aae5565baf7194f970c4b773abb0b826bf6dd5a4
SHA512

ba0c153182b479255bf53f3707c05fda8b692bcc039c81093987b93f9a1ef47e25b5d7ce1ae7a19406878355f8fdcd76c38546ab68a3acb5a8d5740d36794a37
SSDEEP

768:QYZCbocfBfA84IcdHO7NwZFR9yCOjhU/9c:QYZCbvfBfARHduuFR9yCOjaVc

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

4.tcp.eu.ngrok.io:18635

Mutex

aDVL0kX2ls16bX7K

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  sp00ferv2.exe
- Size
  
  32KB
- MD5
  
  75714244c70d64941cd7e0f6d609afd8
- SHA1
  
  e478e0ea903af8e38b47a29f4023c50774d7830c
- SHA256
  
  810b933a5e1fb68b73f42193aae5565baf7194f970c4b773abb0b826bf6dd5a4
- SHA512
  
  ba0c153182b479255bf53f3707c05fda8b692bcc039c81093987b93f9a1ef47e25b5d7ce1ae7a19406878355f8fdcd76c38546ab68a3acb5a8d5740d36794a37
- SSDEEP
  
  768:QYZCbocfBfA84IcdHO7NwZFR9yCOjhU/9c:QYZCbvfBfARHduuFR9yCOjaVc
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan