xworm | 28f00102733ebd8d49df607dc67b5e4a569137d9bc46a5908ec9f5930aaa8804 | Triage

Sharing

General

Target

28f00102733ebd8d49df607dc67b5e4a569137d9bc46a5908ec9f5930aaa8804.js
Size

37KB
Sample

241102-p8m2csveqr
MD5

e92cc1e935c40fea032292de0c6504e7
SHA1

a3a36073c53845f94faded04e4c9cf54873a87b2
SHA256

28f00102733ebd8d49df607dc67b5e4a569137d9bc46a5908ec9f5930aaa8804
SHA512

aa826cf61930bd095c678d9af0401d2429f61e2bf7d47fb6700e96db496791a5659dd81e1686293915a51f6dc94d59cfe02ca10fc7ba0350d56222fddb564845
SSDEEP

384:8ZZ9ZZ9ZZ9ZZRZZ9ZZ9ZZ9ZZlbPZZ9ZZcZZ9ZZ9ZZ9ZZXZZ9ZZ9ZZ9ZZl/ZZ9ZZm:Ywqfm7jk

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://paradisoprovisor1.hospedagemdesites.ws/wp-admin/images/about-heade-about.svg

Extracted

Family

xworm

Version

3.1

C2

45.40.96.97:7000

Mutex

U7A2Hi5eLNhvuoqw

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  28f00102733ebd8d49df607dc67b5e4a569137d9bc46a5908ec9f5930aaa8804.js
- Size
  
  37KB
- MD5
  
  e92cc1e935c40fea032292de0c6504e7
- SHA1
  
  a3a36073c53845f94faded04e4c9cf54873a87b2
- SHA256
  
  28f00102733ebd8d49df607dc67b5e4a569137d9bc46a5908ec9f5930aaa8804
- SHA512
  
  aa826cf61930bd095c678d9af0401d2429f61e2bf7d47fb6700e96db496791a5659dd81e1686293915a51f6dc94d59cfe02ca10fc7ba0350d56222fddb564845
- SSDEEP
  
  384:8ZZ9ZZ9ZZ9ZZRZZ9ZZ9ZZ9ZZlbPZZ9ZZcZZ9ZZ9ZZ9ZZXZZ9ZZ9ZZ9ZZl/ZZ9ZZm:Ywqfm7jk
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan