xworm

General

Target

SAM X222C#.exe
Size

3.3MB
Sample

241113-yc2pba1pfj
MD5

918951c4657e9cdf39ac1b275bfd2e95
SHA1

7323e59b2c4d60b6639bfcba11f4c02bcb94e347
SHA256

b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505
SHA512

438c7554d8b72db63d598085b2c6fae9bfa1895154ebbaf96a5d2a498459b9a3516611613515f04dbc198edb8b2d7ce2ce63975064f28af63f3efa1e50e3e0d7
SSDEEP

98304:n5rc//PaUFOFWiRbNqz1xC4fkkbcZvqaVRn0:oi1Bc144M5vqaPn0

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Targets

- Target
  
  SAM X222C#.exe
- Size
  
  3.3MB
- MD5
  
  918951c4657e9cdf39ac1b275bfd2e95
- SHA1
  
  7323e59b2c4d60b6639bfcba11f4c02bcb94e347
- SHA256
  
  b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505
- SHA512
  
  438c7554d8b72db63d598085b2c6fae9bfa1895154ebbaf96a5d2a498459b9a3516611613515f04dbc198edb8b2d7ce2ce63975064f28af63f3efa1e50e3e0d7
- SSDEEP
  
  98304:n5rc//PaUFOFWiRbNqz1xC4fkkbcZvqaVRn0:oi1Bc144M5vqaPn0
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Realtek HD Audio Universal Service.exe
- Size
  
  79KB
- MD5
  
  066d90fb1d671648842a3b46622eb7ce
- SHA1
  
  6d0949bd4f494c9f8d80b705a79cfa9038c80e51
- SHA256
  
  8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8
- SHA512
  
  b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745
- SSDEEP
  
  1536:vxgta4sqc5BlZof4KeyzFil9Xsbtlk+JggTaCL6UkLOJmxH3:pnqCTa4KTEnsbtmTgT1hkOJw3
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  SAM X222C#.exe
- Size
  
  3.7MB
- MD5
  
  ad991add5af431b8d808cf9035a5cd46
- SHA1
  
  d7ac382fa834529219db1b76e4d928ff24f1245b
- SHA256
  
  a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19
- SHA512
  
  b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd
- SSDEEP
  
  98304:laMw+woaBHtFIT4bNJFY3Oqtbh+KH4kpc+DX/0Hd:S+nAbjBHYcKYOD8
Score

1^/10
behavioral5 behavioral6