xworm | f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4 | Triage

Sharing

General

Target

f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
Size

85.1MB
Sample

241107-d4cjaatmgw
MD5

8310bdf3ac82001830f75c15fba8cc15
SHA1

581d729268cbd245d091633cc19692c4b5bfa0af
SHA256

f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
SHA512

ceab56619fa83baddcc3af7b781ce144ec53db919a6a80079b51e874d495e78349dc6882dad3f815c95274d8caca514765f34086f0b7acb8d42c616ca1714bf0
SSDEEP

49152:kDSdqvdbLqSewjI63pCESb+7sQuJwomAiyHwjfUZo+JP0D73BB681fhojkIG1l0D:

Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

C2

45.145.41.178:1111

Attributes

Install_directory
%AppData%
install_file
Windows Defender Notification.exe

Targets

- Target
  
  f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
- Size
  
  85.1MB
- MD5
  
  8310bdf3ac82001830f75c15fba8cc15
- SHA1
  
  581d729268cbd245d091633cc19692c4b5bfa0af
- SHA256
  
  f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
- SHA512
  
  ceab56619fa83baddcc3af7b781ce144ec53db919a6a80079b51e874d495e78349dc6882dad3f815c95274d8caca514765f34086f0b7acb8d42c616ca1714bf0
- SSDEEP
  
  49152:kDSdqvdbLqSewjI63pCESb+7sQuJwomAiyHwjfUZo+JP0D73BB681fhojkIG1l0D:
Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryevasionexecutionpersistenceprivilege_escalationrattrojan

behavioral2

xwormdiscoveryevasionexecutionpersistenceprivilege_escalationrattrojan