xworm | 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

6425c4148a...c9.exe

windows7-x64

3

6425c4148a...c9.exe

windows10-2004-x64

Sharing

General

Target

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
Size

16KB
Sample

241105-dxmexatckf
MD5

acfdf588da4f3d02f8b4e6db8cc9e60d
SHA1

71bc876820b36d478f65cb9f236499d8c98a7fdd
SHA256

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
SHA512

3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
SSDEEP

384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe

Resource

win7-20240903-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe

Resource

win10v2004-20241007-en

xworm discovery execution persistence rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895

Mutex

ZRGtN7NDh24Vx89x

Attributes

install_file
USB.exe

aes.plain

1
Me4uC3lLk8blEI65GT9n2g==

Targets

- Target
  
  6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
- Size
  
  16KB
- MD5
  
  acfdf588da4f3d02f8b4e6db8cc9e60d
- SHA1
  
  71bc876820b36d478f65cb9f236499d8c98a7fdd
- SHA256
  
  6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
- SHA512
  
  3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
- SSDEEP
  
  384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK
Score

10^/10

discovery xworm execution persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.