xworm | ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973 | Triage

Submit
Reports

Overview

overview

Static

static

3

ea5c93dc24...73.exe

windows7-x64

ea5c93dc24...73.exe

windows10-2004-x64

Sharing

General

Target

ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973.exe
Size

78KB
Sample

241110-dqagrsybqk
MD5

a8cc2daff88948c5943b0f929ec9486c
SHA1

7ccc506bc46d2887a5d4ded2df5caaac4a6f0203
SHA256

ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973
SHA512

a965155303de05a89954ebdb53a2a7cee7adc5de0bab55cdb1bda179a321ea93121d932acf7dc87a77cda64962bc8a445da59933492cc945b38c0e7d118802ba
SSDEEP

1536:J6KAswl3j+aQRiS2/rmmnx/7MZubpd9zQDACmqGn0LX790kCX+dgp:J6OD6jzxjPLxUACS0LtCFp

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973.exe

Resource

win7-20240903-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

server2025.dns.army:7771

Attributes

Install_directory
%AppData%
install_file
system32.exe

Targets

- Target
  
  ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973.exe
- Size
  
  78KB
- MD5
  
  a8cc2daff88948c5943b0f929ec9486c
- SHA1
  
  7ccc506bc46d2887a5d4ded2df5caaac4a6f0203
- SHA256
  
  ea5c93dc24d9407736ffb3beda385f0f42eb682f6a654f9891c09f754560a973
- SHA512
  
  a965155303de05a89954ebdb53a2a7cee7adc5de0bab55cdb1bda179a321ea93121d932acf7dc87a77cda64962bc8a445da59933492cc945b38c0e7d118802ba
- SSDEEP
  
  1536:J6KAswl3j+aQRiS2/rmmnx/7MZubpd9zQDACmqGn0LX790kCX+dgp:J6OD6jzxjPLxUACS0LtCFp
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy