xworm | a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad | Triage

Sharing

General

Target

a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
Size

10.5MB
Sample

241107-dd5gdavalr
MD5

5b181d2d87aa99c90b3593845a0a3257
SHA1

1d9dbd51f21317c839d9c9058ac1f890e5ca9245
SHA256

a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad
SHA512

7c0a73687eeb7f0917da13b0bc780e95260677349496fcca09ecbd36e2c2acfa61b86bc9cd4c3f1335c89351e384fc63664c8e4323e09b6696e0dcc0927dadc7
SSDEEP

196608:+2E+1M6U3b01Kpn3V+uq+VvpSdQmRJ8dA6lkaycBIGpEGo6hTOv+QKfW8fw:YL01+l+uq+VvUdQuslp9foWOv+9f

Score

10^/10

xworm discovery execution pyinstaller rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1

Extracted

Family

xworm

Version

5.0

Mutex

6lFXjUqCtT3P20q9

Attributes

install_file
wintousb.exe

aes.plain

Targets

- Target
  
  a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
- Size
  
  10.5MB
- MD5
  
  5b181d2d87aa99c90b3593845a0a3257
- SHA1
  
  1d9dbd51f21317c839d9c9058ac1f890e5ca9245
- SHA256
  
  a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad
- SHA512
  
  7c0a73687eeb7f0917da13b0bc780e95260677349496fcca09ecbd36e2c2acfa61b86bc9cd4c3f1335c89351e384fc63664c8e4323e09b6696e0dcc0927dadc7
- SSDEEP
  
  196608:+2E+1M6U3b01Kpn3V+uq+VvpSdQmRJ8dA6lkaycBIGpEGo6hTOv+QKfW8fw:YL01+l+uq+VvUdQuslp9foWOv+9f
Score

10^/10

xworm discovery execution pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionpyinstallerrattrojan