xworm | c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22 | Triage

Submit
Reports

Overview

overview

Static

static

c njfrDAJ.exe

windows7-x64

c njfrDAJ.exe

windows10-2004-x64

c njfrDAJ.exe

windows10-ltsc 2021-x64

c njfrDAJ.exe

windows11-21h2-x64

Sharing

General

Target

c njfrDAJ.exe
Size

140KB
Sample

241105-dptt1stbjb
MD5

445e516f9ca9d204baa359ee36edc8e0
SHA1

f5a3267afbc73c16620bcc3b332fadd8104d60bf
SHA256

c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
SHA512

e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
SSDEEP

768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

c njfrDAJ.exe

Resource

win7-20240708-en

xworm discovery execution persistence ransomware rat trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

c njfrDAJ.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Behavioral task

behavioral3

Sample

c njfrDAJ.exe

Resource

win10ltsc2021-20241023-en

xworm execution persistence rat trojan

windows10-ltsc 2021-x64

15 signatures

150 seconds

Behavioral task

behavioral4

Sample

c njfrDAJ.exe

Resource

win11-20241007-en

xworm execution persistence rat trojan

windows11-21h2-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.22:29307

videos-gsm.gl.at.ply.gg:29307

Mutex

akkHSUfQR3bLHwnR

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Targets

- Target
  
  c njfrDAJ.exe
- Size
  
  140KB
- MD5
  
  445e516f9ca9d204baa359ee36edc8e0
- SHA1
  
  f5a3267afbc73c16620bcc3b332fadd8104d60bf
- SHA256
  
  c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
- SHA512
  
  e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
- SSDEEP
  
  768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA
Score

10^/10

xworm discovery execution persistence ransomware rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistenceransomwarerattrojan

behavioral2

xwormexecutionpersistencerattrojan

behavioral3

xwormexecutionpersistencerattrojan

behavioral4

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy