xworm | 62ba4ec06510e37fb216b054b958f8d205e78e81963856e86aa05815d8bb46c9 | Triage

Sharing

General

Target

62ba4ec06510e37fb216b054b958f8d205e78e81963856e86aa05815d8bb46c9N
Size

34KB
Sample

241111-enn3tawkfm
MD5

4b16d5aa43562f7860fef6f93b444ab0
SHA1

cba12e617ac366cc18cc3f2cf84edd58fd0ab4b1
SHA256

62ba4ec06510e37fb216b054b958f8d205e78e81963856e86aa05815d8bb46c9
SHA512

dd55f368c5703dd4751061068e2f9f44c6dbfa84bc7a06b343b338e92a59e72fb6abb8b355fe35b52deb59d27b059894aadb4d07c330e3b7e9b8069e9b0859e2
SSDEEP

768:AYBpz/QvWZqvoXu24OFrCxxF39XTp6LOjh/bU:AYBpz/QvwtbFGrF39XV6LOjN4

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:26848

on-modules.gl.at.ply.gg:26848

Mutex

wrmsNSNXixl9dMEG

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  62ba4ec06510e37fb216b054b958f8d205e78e81963856e86aa05815d8bb46c9N
- Size
  
  34KB
- MD5
  
  4b16d5aa43562f7860fef6f93b444ab0
- SHA1
  
  cba12e617ac366cc18cc3f2cf84edd58fd0ab4b1
- SHA256
  
  62ba4ec06510e37fb216b054b958f8d205e78e81963856e86aa05815d8bb46c9
- SHA512
  
  dd55f368c5703dd4751061068e2f9f44c6dbfa84bc7a06b343b338e92a59e72fb6abb8b355fe35b52deb59d27b059894aadb4d07c330e3b7e9b8069e9b0859e2
- SSDEEP
  
  768:AYBpz/QvWZqvoXu24OFrCxxF39XTp6LOjh/bU:AYBpz/QvwtbFGrF39XV6LOjN4
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan