xworm | 8ec295982ca22a14ca3098eaba0ad73948c7e546d738e838244e01f4af57673a | Triage

Submit
Reports

Overview

overview

Static

static

3

TalibanSte...er.exe

windows7-x64

TalibanSte...er.exe

windows10-2004-x64

Sharing

General

Target

TalibanStealerInstaller.exe.zip
Size

3.7MB
Sample

241108-zlmgesymgs
MD5

03c5e281cc11a2529a5814ca5c27888f
SHA1

782d49e1817db79a047b3e1f088d82af93c7d7fe
SHA256

8ec295982ca22a14ca3098eaba0ad73948c7e546d738e838244e01f4af57673a
SHA512

082a4613db1eadc2cf29a3c1ee7636c1ab5270029b1b00c186915025f05e42a031441b55b551eaf9b8900090cc579dae63727b7e98ce45ea0d3d0641f80a77d9
SSDEEP

98304:XzkU8yHpkkAnr+uZZMVcUdQkzgo08aJdrY:NHOnr+HzM1HU

Score

10^/10

xworm defense_evasion discovery rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

TalibanStealerInstaller.exe

Resource

win7-20241023-en

xworm defense_evasion discovery rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

TalibanStealerInstaller.exe

Resource

win10v2004-20241007-en

xworm defense_evasion discovery rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Targets

- Target
  
  TalibanStealerInstaller.exe
- Size
  
  4.1MB
- MD5
  
  7531fbb7431039bda2b19160e0b9c2d4
- SHA1
  
  b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
- SHA256
  
  6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
- SHA512
  
  5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
- SSDEEP
  
  98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE
Score

10^/10

xworm defense_evasion discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryrattrojan

behavioral2

xwormdefense_evasiondiscoveryrattrojan

© 2018-2025

Terms | Privacy