xworm | dd90b5843c6550de3403c5bf221c3639e56083e337f49050cd21c625229d9609 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

38KB
Sample

241113-reg95aspaw
MD5

bfbb29d4f8dc3ce3b7b67e055fb70bcf
SHA1

f9a646e32fb5ec8eb10f1486e5a95883a902b108
SHA256

dd90b5843c6550de3403c5bf221c3639e56083e337f49050cd21c625229d9609
SHA512

e05e3db627c1a9d8de16f1357a95f330b71724dd8ae182a62ad0d3c55414d6ad0caa4ca28f0bb746173565cd1705aa82fa8d41cd99ddddbc43379a746f568a71
SSDEEP

768:siS8brf7blu3ml5G7m9NFfZk7FWPB9WxOOMhTaQkrl:zpnf7c+5PFyFO9WxOOM5sl

Score

10^/10

xworm evasion rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20241010-en

xworm rat trojan

windows7-x64

8 signatures

1200 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20241007-en

xworm evasion rat trojan

windows10-2004-x64

18 signatures

1200 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

instruments-survivor.gl.at.ply.gg:29973

Mutex

Bv3T1nydYnsmIsFU

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  XClient.exe
- Size
  
  38KB
- MD5
  
  bfbb29d4f8dc3ce3b7b67e055fb70bcf
- SHA1
  
  f9a646e32fb5ec8eb10f1486e5a95883a902b108
- SHA256
  
  dd90b5843c6550de3403c5bf221c3639e56083e337f49050cd21c625229d9609
- SHA512
  
  e05e3db627c1a9d8de16f1357a95f330b71724dd8ae182a62ad0d3c55414d6ad0caa4ca28f0bb746173565cd1705aa82fa8d41cd99ddddbc43379a746f568a71
- SSDEEP
  
  768:siS8brf7blu3ml5G7m9NFfZk7FWPB9WxOOMhTaQkrl:zpnf7c+5PFyFO9WxOOM5sl
Score

10^/10

xworm rat trojan evasion
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormevasionrattrojan

© 2018-2024

Terms | Privacy