xworm

General

Target

ExperienceCheat.exe
Size

62.0MB
Sample

241111-n3gfyssmbk
MD5

a2758f6c3f1a1d68731991792a711dd0
SHA1

e2ef709aaa1d88792d54b8cf05b9b3c3033b3409
SHA256

ca93416a5406c488c52fdda404b872f0da81f9a8459f4d4ae4cebe6541d22e85
SHA512

9fcd549b1dd8bced2b1f843272a8d923322a3ff4eef05d3bf8fb7a5cfd4328a36192c04eb1e6e16d799cefb461256cd8fdb772bbb251e94e44338c242d463103
SSDEEP

1536:YkeHtRfrimdNmkKZr311OGAiQj39IdcCqcAP69nQ:oHtRp6r311RAzj390VAP69Q

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38492

warning-ms.gl.at.ply.gg:38492

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  ExperienceCheat.exe
- Size
  
  62.0MB
- MD5
  
  a2758f6c3f1a1d68731991792a711dd0
- SHA1
  
  e2ef709aaa1d88792d54b8cf05b9b3c3033b3409
- SHA256
  
  ca93416a5406c488c52fdda404b872f0da81f9a8459f4d4ae4cebe6541d22e85
- SHA512
  
  9fcd549b1dd8bced2b1f843272a8d923322a3ff4eef05d3bf8fb7a5cfd4328a36192c04eb1e6e16d799cefb461256cd8fdb772bbb251e94e44338c242d463103
- SSDEEP
  
  1536:YkeHtRfrimdNmkKZr311OGAiQj39IdcCqcAP69nQ:oHtRp6r311RAzj390VAP69Q
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2