xworm | e87acd0cba7115834705368c2f03b629261bbc80519dc5e65c4395f992b129bc | Triage

Submit
Reports

Overview

overview

Static

static

1

XClient (2).bat

windows7-x64

8

XClient (2).bat

windows10-2004-x64

Sharing

General

Target

XClient (2).bat
Size

278KB
Sample

241108-abxf7stkfm
MD5

87dfdc436f01e7015c743698464c3b8f
SHA1

da351d18f1495a92396cfc1c7252e1b145b9adb2
SHA256

e87acd0cba7115834705368c2f03b629261bbc80519dc5e65c4395f992b129bc
SHA512

751bec2933262568a60c32c3781083b1a087e9f750a2e70b74a376c0cb449a674422398b56314ed8059a92a1a8f92b881fcfd88f68a6f753fd82b18bdde5d499
SSDEEP

6144:KnqZeu/Xeq5Bg0g/4ZL01PA84vRlzzQbVZnPM:cKeIlgLzy8AdKVZPM

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

XClient (2).bat

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient (2).bat

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758

Attributes

Install_directory
%Temp%
install_file
USB.exe

Targets

- Target
  
  XClient (2).bat
- Size
  
  278KB
- MD5
  
  87dfdc436f01e7015c743698464c3b8f
- SHA1
  
  da351d18f1495a92396cfc1c7252e1b145b9adb2
- SHA256
  
  e87acd0cba7115834705368c2f03b629261bbc80519dc5e65c4395f992b129bc
- SHA512
  
  751bec2933262568a60c32c3781083b1a087e9f750a2e70b74a376c0cb449a674422398b56314ed8059a92a1a8f92b881fcfd88f68a6f753fd82b18bdde5d499
- SSDEEP
  
  6144:KnqZeu/Xeq5Bg0g/4ZL01PA84vRlzzQbVZnPM:cKeIlgLzy8AdKVZPM
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy