xworm | e414acaa3554a5b901c5585d233a3ad81cfa9c8e7d0905601c7c12c2716ab8b5 | Triage

Submit
Reports

Overview

overview

Static

static

1

Presets.txt

windows10-ltsc 2021-x64

Sharing

General

Target

Presets.txt
Size

2KB
Sample

241101-y18sjawngr
MD5

3ecac4639c55cc707c5347e6b1f15a20
SHA1

a754a2259663cd81d7ddd3dba17abb3a3dc8299b
SHA256

e414acaa3554a5b901c5585d233a3ad81cfa9c8e7d0905601c7c12c2716ab8b5
SHA512

6a0edd295c5cde87b9ab98f284243b8f43c15833853005cf3ac18aa40c4d7e029d31c2d8e11a1c1deb9dfc877f039f500c7ac2d5bd0fe9b4f81910593419f636

Score

10^/10

xworm steam discovery persistence phishing rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Presets.txt

Resource

win10ltsc2021-20241023-en

xworm steam discovery persistence phishing rat trojan

windows10-ltsc 2021-x64

35 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

80.76.49.114:1111

Attributes

Install_directory
%AppData%
install_file
Windows.exe

Targets

- Target
  
  Presets.txt
- Size
  
  2KB
- MD5
  
  3ecac4639c55cc707c5347e6b1f15a20
- SHA1
  
  a754a2259663cd81d7ddd3dba17abb3a3dc8299b
- SHA256
  
  e414acaa3554a5b901c5585d233a3ad81cfa9c8e7d0905601c7c12c2716ab8b5
- SHA512
  
  6a0edd295c5cde87b9ab98f284243b8f43c15833853005cf3ac18aa40c4d7e029d31c2d8e11a1c1deb9dfc877f039f500c7ac2d5bd0fe9b4f81910593419f636
Score

10^/10

xworm steam discovery persistence phishing rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand STEAM.
  phishing steam
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormsteamdiscoverypersistencephishingrattrojan

© 2018-2025

Terms | Privacy