xworm | 38933a739032b6ccbe0e7e21c2a3f68b26c87ec8f89e51701899099443affaf8 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

2052-150-0...ry.exe

windows7-x64

2052-150-0...ry.exe

windows10-2004-x64

Sharing

General

Target

2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.dmp
Size

64KB
Sample

241106-tg9s9sslhy
MD5

2e511711556c84a5748e2a3c9508f79d
SHA1

793fd65b8ad3e3ff4d32b2a2a77873cdd2e51d14
SHA256

38933a739032b6ccbe0e7e21c2a3f68b26c87ec8f89e51701899099443affaf8
SHA512

ac49bf92e5ca38a776b2435eb502a8c04334f76a9d76f68e1c78b6d4edee9506959f840808884a71c17e45822e41b167c40de0a1b33caa8a4bed2775cdf274c7
SSDEEP

768:8TaTaHaxVq3LgGHk8qZHkvhxST9BeY0FWPG9tM6TOMh+7It:8TaT4a8gykRhWhx69BehFh9tM6TOMIk

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.exe

Resource

win7-20240708-en

xworm execution rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

6lFXjUqCtT3P20q9

Attributes

install_file
wintousb.exe

aes.plain

Targets

- Target
  
  2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.dmp
- Size
  
  64KB
- MD5
  
  2e511711556c84a5748e2a3c9508f79d
- SHA1
  
  793fd65b8ad3e3ff4d32b2a2a77873cdd2e51d14
- SHA256
  
  38933a739032b6ccbe0e7e21c2a3f68b26c87ec8f89e51701899099443affaf8
- SHA512
  
  ac49bf92e5ca38a776b2435eb502a8c04334f76a9d76f68e1c78b6d4edee9506959f840808884a71c17e45822e41b167c40de0a1b33caa8a4bed2775cdf274c7
- SSDEEP
  
  768:8TaTaHaxVq3LgGHk8qZHkvhxST9BeY0FWPG9tM6TOMh+7It:8TaT4a8gykRhWhx69BehFh9tM6TOMIk
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy