xworm | 20a2b53fa64b657e9b7ad71389ea2f6062ad5a98d69e77ec6071a573c479f770 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

cmd.exe

windows7-x64

7

cmd.exe

windows10-2004-x64

Resubmissions

08/11/2024, 23:00

241108-2zc61svjdr 10

07/11/2024, 22:05

241107-1zhaasymcw 8

Sharing

General

Target

cmd.exe
Size

17.7MB
Sample

241108-2zc61svjdr
MD5

eda1e5e0db3a2b4039541ef092343bc5
SHA1

a1e4baf01801b616c57abf1c53194aec548e925e
SHA256

20a2b53fa64b657e9b7ad71389ea2f6062ad5a98d69e77ec6071a573c479f770
SHA512

9379c389ce2f79d345e5f1ac79c281749b74e4d47d9490a2cd6d6f4802e6ffdfa0562f86a2b53b26399502abe20ca3500f1d815e098e4f47307612434b6523b4
SSDEEP

393216:JcofJHb9LhNy9Ihwu1wChdGKw+6j+XIqaEslSzrwy:JlfBb99NyLUP9NTs7y

Score

10^/10

xworm discovery persistence pyinstaller rat spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cmd.exe

Resource

win7-20240708-en

pyinstaller upx

windows7-x64

6 signatures

1800 seconds

Behavioral task

behavioral2

Sample

cmd.exe

Resource

win10v2004-20241007-en

xworm discovery persistence pyinstaller rat spyware stealer trojan upx

windows10-2004-x64

23 signatures

1800 seconds

Malware Config

Targets

- Target
  
  cmd.exe
- Size
  
  17.7MB
- MD5
  
  eda1e5e0db3a2b4039541ef092343bc5
- SHA1
  
  a1e4baf01801b616c57abf1c53194aec548e925e
- SHA256
  
  20a2b53fa64b657e9b7ad71389ea2f6062ad5a98d69e77ec6071a573c479f770
- SHA512
  
  9379c389ce2f79d345e5f1ac79c281749b74e4d47d9490a2cd6d6f4802e6ffdfa0562f86a2b53b26399502abe20ca3500f1d815e098e4f47307612434b6523b4
- SSDEEP
  
  393216:JcofJHb9LhNy9Ihwu1wChdGKw+6j+XIqaEslSzrwy:JlfBb99NyLUP9NTs7y
Score

10^/10

pyinstaller upx xworm discovery persistence rat spyware stealer trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoverypersistencepyinstallerratspywarestealertrojanupx

© 2018-2025

Terms | Privacy