xworm | 9f5f9ef41661f2867dc646b2979808a51a37e1c09a7e01a14d920c4b53a8ab9b | Triage

Sharing

General

Target

XClient.bat
Size

108KB
Sample

241114-e49z8atngs
MD5

85858e630a760180cab51cc060f9b811
SHA1

a9bb8f891c1f6b0fa07f6119304cd3f8798cb1b8
SHA256

9f5f9ef41661f2867dc646b2979808a51a37e1c09a7e01a14d920c4b53a8ab9b
SHA512

753864eecf3478a2f3f78a6743577c8aa81179664786730b0a3ad2ce8307451240a2186af9fb7522f0a1a0f99d6772eb52d684cc23a4c060c92ebfce43d59462
SSDEEP

3072:k2rUR0lBxUPbxNuh/Fqf2Zf5SJi1UF0Mg+O:kwUzjxUh/Fqf2Z5SJxg+O

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

travel-competitive.gl.at.ply.gg:44130

Attributes

Install_directory
%ProgramData%
install_file
SystemProcess.exe

Targets

- Target
  
  XClient.bat
- Size
  
  108KB
- MD5
  
  85858e630a760180cab51cc060f9b811
- SHA1
  
  a9bb8f891c1f6b0fa07f6119304cd3f8798cb1b8
- SHA256
  
  9f5f9ef41661f2867dc646b2979808a51a37e1c09a7e01a14d920c4b53a8ab9b
- SHA512
  
  753864eecf3478a2f3f78a6743577c8aa81179664786730b0a3ad2ce8307451240a2186af9fb7522f0a1a0f99d6772eb52d684cc23a4c060c92ebfce43d59462
- SSDEEP
  
  3072:k2rUR0lBxUPbxNuh/Fqf2Zf5SJi1UF0Mg+O:kwUzjxUh/Fqf2Z5SJxg+O
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan