xworm | 8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801 | Triage

Submit
Reports

Overview

overview

Static

static

3

8c2ab35065...01.exe

windows7-x64

8c2ab35065...01.exe

windows10-2004-x64

Sharing

General

Target

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801
Size

8.4MB
Sample

241110-n1hk8svrgw
MD5

606521d55f5758265083588d0943dfe9
SHA1

009dbfdbf2f41087f41d677024f9710e6a60c2c7
SHA256

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801
SHA512

4758d7a384d916cef8a5bf4e83290ab0be7f486ac191c35d0f9caa1be9173dfdb530dd023fef4f3896160af8d5d914074669669abfbc8926e9e4d28a22076ff9
SSDEEP

196608:I3eDL8u4LhYeeorukYMmaIbzeMs2V6d+9of9NMj:oKUOpCulMmFXkdvf9+

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe

Resource

win7-20240903-en

xworm discovery execution persistence pyinstaller rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe

Resource

win10v2004-20241007-en

xworm discovery execution persistence pyinstaller rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

109.206.246.102:3387

Mutex

5dZEpmVHmiVKYX3w

Attributes

Install_directory
%AppData%
install_file
骇客开发.exe

aes.plain

Targets

- Target
  
  8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801
- Size
  
  8.4MB
- MD5
  
  606521d55f5758265083588d0943dfe9
- SHA1
  
  009dbfdbf2f41087f41d677024f9710e6a60c2c7
- SHA256
  
  8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801
- SHA512
  
  4758d7a384d916cef8a5bf4e83290ab0be7f486ac191c35d0f9caa1be9173dfdb530dd023fef4f3896160af8d5d914074669669abfbc8926e9e4d28a22076ff9
- SSDEEP
  
  196608:I3eDL8u4LhYeeorukYMmaIbzeMs2V6d+9of9NMj:oKUOpCulMmFXkdvf9+
Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencepyinstallerrattrojan

behavioral2

xwormdiscoveryexecutionpersistencepyinstallerrattrojan

© 2018-2024

Terms | Privacy