xworm | cbc725af77ebf25c61784ad3df87a4d42003492931562c3d6ca00c0726320f98 | Triage

Submit
Reports

Overview

overview

Static

static

3

CMDBITX_Cr...x1.exe

windows10-ltsc 2021-x64

Sharing

General

Target

CMDBITX_Crack__By_Rank1_Fix1.exe
Size

5.7MB
Sample

241102-l62vystkhp
MD5

f5ca75b6deed282fb277bcd87dcf968d
SHA1

de0aafbc767308332795f0de7d59e30f1f1293fa
SHA256

cbc725af77ebf25c61784ad3df87a4d42003492931562c3d6ca00c0726320f98
SHA512

bffbe2cf79dfd4efdb760d3bb440f2ebbee7a1db6c4b6f87e19407efa597927f35766dfb23300890ce0f2c33e2f178c25423d6cd6bd3d1500574efd72e365f57
SSDEEP

98304:ezg8NHE04004RmgZKJG4HrC5rji6tXtNhUc9u70rhwt3FNHbJ5gJYNIi56LKAsYv:ezvdh40lRmwuG4Glt1Uy/t0Xb5NIiIAK

Score

10^/10

xworm rat trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CMDBITX_Crack__By_Rank1_Fix1.exe

Resource

win10ltsc2021-20241023-en

xworm rat trojan vmprotect

windows10-ltsc 2021-x64

12 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

85.203.4.149:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Targets

- Target
  
  CMDBITX_Crack__By_Rank1_Fix1.exe
- Size
  
  5.7MB
- MD5
  
  f5ca75b6deed282fb277bcd87dcf968d
- SHA1
  
  de0aafbc767308332795f0de7d59e30f1f1293fa
- SHA256
  
  cbc725af77ebf25c61784ad3df87a4d42003492931562c3d6ca00c0726320f98
- SHA512
  
  bffbe2cf79dfd4efdb760d3bb440f2ebbee7a1db6c4b6f87e19407efa597927f35766dfb23300890ce0f2c33e2f178c25423d6cd6bd3d1500574efd72e365f57
- SSDEEP
  
  98304:ezg8NHE04004RmgZKJG4HrC5rji6tXtNhUc9u70rhwt3FNHbJ5gJYNIi56LKAsYv:ezvdh40lRmwuG4Glt1Uy/t0Xb5NIiIAK
Score

10^/10

xworm rat trojan vmprotect
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormrattrojanvmprotect

© 2018-2025

Terms | Privacy