xworm | fb764f1a547a99a62584b1c57ecb1b852fd3f0ce6bf742f2806fd2d86fff2ea3 | Triage

Submit
Reports

Overview

overview

Static

static

1

Arduino.ino

windows10-2004-x64

Resubmissions

12-11-2024 19:51

241112-yk6y1asrep 10

Sharing

General

Target

Arduino.ino
Size

753B
Sample

241112-yk6y1asrep
MD5

bad8ee7aaff8ec856f69fedda9626501
SHA1

b2051bfa6415c08db7f61ddd88511af7a6361d8e
SHA256

fb764f1a547a99a62584b1c57ecb1b852fd3f0ce6bf742f2806fd2d86fff2ea3
SHA512

96ef127b219c4801a5dc82c7ef1937e80e6e880172debe8ea6345ca69d7f628bdf3a035c142e286d4a5cb6bb1cc135770fcffa1669dda32709888036a10429f1

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Arduino.ino

Resource

win10v2004-20241007-en

xworm defense_evasion discovery execution rat trojan

windows10-2004-x64

27 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:56069

front-applications.gl.at.ply.gg:56069

Attributes

install_file
USB.exe

Targets

- Target
  
  Arduino.ino
- Size
  
  753B
- MD5
  
  bad8ee7aaff8ec856f69fedda9626501
- SHA1
  
  b2051bfa6415c08db7f61ddd88511af7a6361d8e
- SHA256
  
  fb764f1a547a99a62584b1c57ecb1b852fd3f0ce6bf742f2806fd2d86fff2ea3
- SHA512
  
  96ef127b219c4801a5dc82c7ef1937e80e6e880172debe8ea6345ca69d7f628bdf3a035c142e286d4a5cb6bb1cc135770fcffa1669dda32709888036a10429f1
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Window

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2024

Terms | Privacy