xworm | 59529f95dc9a1b17af941ecf2543d611dbbf658a816966748d1959c88adf3512 | Triage

Submit
Reports

Overview

overview

Static

static

3

NEXUS MULT...CK.exe

windows7-x64

NEXUS MULT...CK.exe

windows10-2004-x64

Sharing

General

Target

NEXUS MULTI TOOL COMEBACK.exe
Size

9.7MB
Sample

241109-s2kt7swmcz
MD5

cd65d3bad3a37d4dd85b95ddd6bcfe09
SHA1

1509122389d11f5fa0511544feace0fb42681f5e
SHA256

59529f95dc9a1b17af941ecf2543d611dbbf658a816966748d1959c88adf3512
SHA512

2d98fc40b0c21350594675f8e8e8186d4f017eb5a1519fb8b15b5646c7818d9f0a91e109f126ede4d9215617b49d244dc2e7000053f876afd6ffab32126d579d
SSDEEP

196608:eB3QIp2Bp4fhMw+Ebd0iji6nxg3IO0B/BngQSlbHZAlB7/e3:emIkBp4fhfoijiUxcI/UQQHZAH

Score

10^/10

xworm discovery execution rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEXUS MULTI TOOL COMEBACK.exe

Resource

win7-20240903-en

xworm rat trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEXUS MULTI TOOL COMEBACK.exe

Resource

win10v2004-20241007-en

xworm discovery execution rat trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

foreign-olympic.gl.at.ply.gg:99

147.185.221.23:99

127.0.0.1:99

foreign-olympic.gl.at.ply.gg:21710

147.185.221.23:21710

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Targets

- Target
  
  NEXUS MULTI TOOL COMEBACK.exe
- Size
  
  9.7MB
- MD5
  
  cd65d3bad3a37d4dd85b95ddd6bcfe09
- SHA1
  
  1509122389d11f5fa0511544feace0fb42681f5e
- SHA256
  
  59529f95dc9a1b17af941ecf2543d611dbbf658a816966748d1959c88adf3512
- SHA512
  
  2d98fc40b0c21350594675f8e8e8186d4f017eb5a1519fb8b15b5646c7818d9f0a91e109f126ede4d9215617b49d244dc2e7000053f876afd6ffab32126d579d
- SSDEEP
  
  196608:eB3QIp2Bp4fhMw+Ebd0iji6nxg3IO0B/BngQSlbHZAlB7/e3:emIkBp4fhfoijiUxcI/UQQHZAH
Score

10^/10

xworm rat trojan upx discovery execution
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormrattrojanupx

behavioral2

xwormdiscoveryexecutionrattrojanupx

© 2018-2025

Terms | Privacy