xworm | 1645991919fd66fed7adc8f19d4600b46fb86b54062c86e76279cb0f74ac8e42 | Triage

Submit
Reports

Overview

overview

Static

static

SteamCRACK...ed.exe

windows7-x64

SteamCRACK...ed.exe

windows10-2004-x64

Sharing

General

Target

SteamCRACKED_patched.exe
Size

656KB
Sample

241112-cmzrta1pcs
MD5

e013cc772300564eb65f6ebb9d1f10c6
SHA1

9cb8f0419e0127664da18f37737077da06b45a8b
SHA256

1645991919fd66fed7adc8f19d4600b46fb86b54062c86e76279cb0f74ac8e42
SHA512

c3411408609d08434bcd8ef34a3b9bbbc17b670d6400307dd87de9a1ac1c314ca87db2441073c30266ab051b8d3b0485e9399944c6dbd1989ddb8409b676ad43
SSDEEP

6144:PtBmb8WHz0L+GIIIIIIIhIIIIIIIIIIIIIIIU:lXmL

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SteamCRACKED_patched.exe

Resource

win7-20240708-en

xworm execution rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

SteamCRACKED_patched.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:63603

37.4.250.173:63603

Attributes

Install_directory
%AppData%
install_file
XwormV6.exe

Targets

- Target
  
  SteamCRACKED_patched.exe
- Size
  
  656KB
- MD5
  
  e013cc772300564eb65f6ebb9d1f10c6
- SHA1
  
  9cb8f0419e0127664da18f37737077da06b45a8b
- SHA256
  
  1645991919fd66fed7adc8f19d4600b46fb86b54062c86e76279cb0f74ac8e42
- SHA512
  
  c3411408609d08434bcd8ef34a3b9bbbc17b670d6400307dd87de9a1ac1c314ca87db2441073c30266ab051b8d3b0485e9399944c6dbd1989ddb8409b676ad43
- SSDEEP
  
  6144:PtBmb8WHz0L+GIIIIIIIhIIIIIIIIIIIIIIIU:lXmL
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy