xworm | 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9 | Triage

Sharing

General

Target

file.exe
Size

16KB
Sample

241104-wdej3athlh
MD5

acfdf588da4f3d02f8b4e6db8cc9e60d
SHA1

71bc876820b36d478f65cb9f236499d8c98a7fdd
SHA256

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
SHA512

3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
SSDEEP

384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895

Mutex

ZRGtN7NDh24Vx89x

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  file.exe
- Size
  
  16KB
- MD5
  
  acfdf588da4f3d02f8b4e6db8cc9e60d
- SHA1
  
  71bc876820b36d478f65cb9f236499d8c98a7fdd
- SHA256
  
  6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
- SHA512
  
  3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
- SSDEEP
  
  384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK
Score

10^/10

discovery xworm execution persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionpersistencerattrojan