Overview

overview

10

Static

static

10

XWorm V5.2.7z

windows7-x64

7

XWorm V5.2.7z

windows10-2004-x64

10

XWorm V5.2....2.exe

windows7-x64

7

XWorm V5.2....2.exe

windows10-2004-x64

7

XWorm V5.2...32.exe

windows7-x64

3

XWorm V5.2...32.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V5.2.7z

  • Size

    28.8MB

  • Sample

    241111-ypmqxsvglg

  • MD5

    b965c5e95b3aa608de9bfc6af57df8ee

  • SHA1

    65dc4c9e615182565c60f1d20e297af4652605eb

  • SHA256

    07f410a24d31af2090a87ffd170bb0cb876aa1e735a754b1dbf50aa57a63a3bb

  • SHA512

    bd420b2f44aa9ca424332e6feca63072ac011fdf377dbfd73628c503452e3efcdb131bd6a4091d84aab0d7b3df3da2887bbf47be33eb44dccc9ee1dea3edf7f8

  • SSDEEP

    786432:5qVjpgbD+4a7wlwyYqmsN7tCUEFqkaUgTiJaqji3JVFuVbL:WgbD+XGKqmsNZmNgtIi5VFMP

Score
10/10
stormkittyxwormagilenetdiscoveryrattrojan

Malware Config

Targets

    • Target

      XWorm V5.2.7z

    • Size

      28.8MB

    • MD5

      b965c5e95b3aa608de9bfc6af57df8ee

    • SHA1

      65dc4c9e615182565c60f1d20e297af4652605eb

    • SHA256

      07f410a24d31af2090a87ffd170bb0cb876aa1e735a754b1dbf50aa57a63a3bb

    • SHA512

      bd420b2f44aa9ca424332e6feca63072ac011fdf377dbfd73628c503452e3efcdb131bd6a4091d84aab0d7b3df3da2887bbf47be33eb44dccc9ee1dea3edf7f8

    • SSDEEP

      786432:5qVjpgbD+4a7wlwyYqmsN7tCUEFqkaUgTiJaqji3JVFuVbL:WgbD+XGKqmsNZmNgtIi5VFMP

    Score
    10/10
    discoveryxwormagilenetrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Uses the VBS compiler for execution

    behavioral1behavioral2

    • Target

      XWorm V5.2/XWorm V5.2.exe

    • Size

      12.2MB

    • MD5

      8b7b015c1ea809f5c6ade7269bdc5610

    • SHA1

      c67d5d83ca18731d17f79529cfdb3d3dcad36b96

    • SHA256

      7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

    • SHA512

      e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

    • SSDEEP

      196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn

    Score
    7/10
    agilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral3behavioral4

    • Target

      XWorm V5.2/XWormLoader 5.2 x32.exe

    • Size

      109KB

    • MD5

      f3b2ec58b71ba6793adcc2729e2140b1

    • SHA1

      d9e93a33ac617afe326421df4f05882a61e0a4f2

    • SHA256

      2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

    • SHA512

      473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

    • SSDEEP

      1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu

    Score
    7/10
    discoveryagilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks