xworm | 7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7212825fd6...2N.exe

windows7-x64

7212825fd6...2N.exe

windows10-2004-x64

Sharing

General

Target

7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N
Size

66KB
Sample

241108-vppnqswdpl
MD5

2b494d570e8555cd6dbca8dadae59840
SHA1

c59544f6f3a027887f0e4b0cccce87515ba3950f
SHA256

7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
SHA512

fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
SSDEEP

1536:iKQYa5VddJ8rYtvAq9dAfkb15LU3v2D4oD0l8laOEeVHN:iKQYa5DdyEAq9d6kb15LU3A4ovaOEe5N

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N.exe

Resource

win7-20241010-en

xworm persistence rat trojan

windows7-x64

12 signatures

120 seconds

Behavioral task

behavioral2

Sample

7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

120 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

Targets

- Target
  
  7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N
- Size
  
  66KB
- MD5
  
  2b494d570e8555cd6dbca8dadae59840
- SHA1
  
  c59544f6f3a027887f0e4b0cccce87515ba3950f
- SHA256
  
  7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
- SHA512
  
  fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
- SSDEEP
  
  1536:iKQYa5VddJ8rYtvAq9dAfkb15LU3v2D4oD0l8laOEeVHN:iKQYa5DdyEAq9d6kb15LU3A4ovaOEe5N
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.