xworm | 61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150 | Triage

Sharing

General

Target

61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe
Size

193KB
Sample

241116-ajcrrswckj
MD5

6cad6576780e786ee72a659d50dc4020
SHA1

50cb376363e6317836c3cd774b135531bc6110c0
SHA256

61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150
SHA512

20724d675c27f11c1496257afa6b3c8304d87a642acaa7cdb9b368d1a76b041afa3f05a09857a835f8124b832ebca10f81c22399abf03cb9af1a925eb62a3ae7
SSDEEP

6144:g2JhWiZqebUcSxw1RrPDhcZhyL8vr/5FZRAdPOl/AT7tu9:DhvSxCJbeZQ8vNFZAPOST7t

Score

10^/10

xworm defense_evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

wego666.webredirect.org:666

Mutex

0MJ5uaqdM5KfHEtd

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150N.exe
- Size
  
  193KB
- MD5
  
  6cad6576780e786ee72a659d50dc4020
- SHA1
  
  50cb376363e6317836c3cd774b135531bc6110c0
- SHA256
  
  61c9156d480363777ae7bed66561486ab4e7d97c5fca890ece91ea5004636150
- SHA512
  
  20724d675c27f11c1496257afa6b3c8304d87a642acaa7cdb9b368d1a76b041afa3f05a09857a835f8124b832ebca10f81c22399abf03cb9af1a925eb62a3ae7
- SSDEEP
  
  6144:g2JhWiZqebUcSxw1RrPDhcZhyL8vr/5FZRAdPOl/AT7tu9:DhvSxCJbeZQ8vNFZAPOST7t
Score

10^/10

xworm execution rat spyware stealer trojan defense_evasion
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionratspywarestealertrojan

behavioral2

xwormdefense_evasionexecutionratspywarestealertrojan