xworm | 41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

MR. OCTOPU...��.exe

windows10-ltsc 2021-x64

Sharing

General

Target

MR. OCTOPUS‌‌‌.exe
Size

61.4MB
Sample

241106-kj853syrdk
MD5

16f4e4d66e5fdb5897af37ea7c067df9
SHA1

326468c89d4eeb4127e8db754f8bc738d3e6f3a7
SHA256

41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73
SHA512

4f81e5d182f8c49e4487b7782e283c2274ec27060b53cd1b56ec4ca8f14c25fb5e50158e7b5df6b3ced0fc6c896a01c63a5a84185349f900150cc89da9c88d06
SSDEEP

1572864:jFtdm5ugJDjavJqMV21ihlX1UZ9d34atoZyVr6aZNz:jFtdm5u0G61KBKZT3Qar6aH

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

MR. OCTOPUS‌‌‌.exe

Resource

win10ltsc2021-20241023-en

xworm discovery execution rat trojan

windows10-ltsc 2021-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
smartscreen.exe
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Targets

- Target
  
  MR. OCTOPUS‌‌‌.exe
- Size
  
  61.4MB
- MD5
  
  16f4e4d66e5fdb5897af37ea7c067df9
- SHA1
  
  326468c89d4eeb4127e8db754f8bc738d3e6f3a7
- SHA256
  
  41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73
- SHA512
  
  4f81e5d182f8c49e4487b7782e283c2274ec27060b53cd1b56ec4ca8f14c25fb5e50158e7b5df6b3ced0fc6c896a01c63a5a84185349f900150cc89da9c88d06
- SSDEEP
  
  1572864:jFtdm5ugJDjavJqMV21ihlX1UZ9d34atoZyVr6aZNz:jFtdm5u0G61KBKZT3Qar6aH
Score

10^/10

xworm discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy