xworm | 20ea21a3ee873d2e7d758697be5dd05e4e66bfe667f058f15fab8a8949de964e | Triage

Submit
Reports

Overview

overview

Static

static

1

aimer.cpython-311.pyc

windows11-21h2-x64

Sharing

General

Target

aimer.cpython-311.pyc
Size

13KB
Sample

241112-x7nv9sykfx
MD5

593b5193f93bf9adb2da69ff24642e6f
SHA1

8ebceac2699a9f43b09a91702c431a716a10bece
SHA256

20ea21a3ee873d2e7d758697be5dd05e4e66bfe667f058f15fab8a8949de964e
SHA512

b4019caf3f69d2782399bbdda140f5ed3a73ca6ee3c6dd3356f31690a823e093e17ead2940b2888183604925fedbcb0f612bab4d7ecf452963e1744c0368d461
SSDEEP

384:tfrS+F/0V4EIN4jHp9BQtQpI2wYreehc4eMf:BrZN0vINeti2wYreeBVf

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

aimer.cpython-311.pyc

Resource

win11-20241023-en

xworm defense_evasion discovery execution rat trojan

windows11-21h2-x64

31 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:10178

wireless-drunk.gl.at.ply.gg:10178

127.0.0.1:15304

parents-hundred.gl.at.ply.gg:15304

Attributes

Install_directory
%ProgramData%
install_file
dllhost.exe

Targets

- Target
  
  aimer.cpython-311.pyc
- Size
  
  13KB
- MD5
  
  593b5193f93bf9adb2da69ff24642e6f
- SHA1
  
  8ebceac2699a9f43b09a91702c431a716a10bece
- SHA256
  
  20ea21a3ee873d2e7d758697be5dd05e4e66bfe667f058f15fab8a8949de964e
- SHA512
  
  b4019caf3f69d2782399bbdda140f5ed3a73ca6ee3c6dd3356f31690a823e093e17ead2940b2888183604925fedbcb0f612bab4d7ecf452963e1744c0368d461
- SSDEEP
  
  384:tfrS+F/0V4EIN4jHp9BQtQpI2wYreehc4eMf:BrZN0vINeti2wYreeBVf
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Window

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy