xworm | 0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b | Triage

Submit
Reports

Overview

overview

Static

static

1

NLHybrid Fixer.bat

windows10-ltsc 2021-x64

NLHybrid Fixer.bat

windows11-21h2-x64

Sharing

General

Target

NLHybrid Fixer.bat
Size

291KB
Sample

241112-g2nqbawhnp
MD5

734fdc5c211a7b1fe3a5101c3b0aafd6
SHA1

3d8b84678e674a5b4b49ad4ee4669179d16b75d0
SHA256

0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b
SHA512

92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18
SSDEEP

6144:uoiULBMXvSD+eFkX0TupDOYvaktWHHvdTNb71M943xw:uLULBM47FNuNOWaxvH7m43a

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

NLHybrid Fixer.bat

Resource

win10ltsc2021-20241023-en

xworm execution persistence rat trojan

windows10-ltsc 2021-x64

19 signatures

1800 seconds

Behavioral task

behavioral2

Sample

NLHybrid Fixer.bat

Resource

win11-20241007-en

xworm execution persistence rat trojan

windows11-21h2-x64

27 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113

Mutex

UrM5eoX12ULh6st6

Attributes

Install_directory
%Userprofile%
install_file
win64updater.exe

aes.plain

Targets

- Target
  
  NLHybrid Fixer.bat
- Size
  
  291KB
- MD5
  
  734fdc5c211a7b1fe3a5101c3b0aafd6
- SHA1
  
  3d8b84678e674a5b4b49ad4ee4669179d16b75d0
- SHA256
  
  0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b
- SHA512
  
  92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18
- SSDEEP
  
  6144:uoiULBMXvSD+eFkX0TupDOYvaktWHHvdTNb71M943xw:uLULBM47FNuNOWaxvH7m43a
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy