xworm | eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8 | Triage

Submit
Reports

Overview

overview

Static

static

3

eca7af7a2e...a8.exe

windows7-x64

eca7af7a2e...a8.exe

windows10-2004-x64

Sharing

General

Target

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
Size

625KB
Sample

241116-bt52qs1kak
MD5

3a2f7315aa9aa110c98c396bff591c0d
SHA1

33793dfc29dc8997ad535aa5a4af58b699e864a0
SHA256

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8
SHA512

79a33baa45a0e6ef6bf9dfadee5b9bad82cd26adda7a5673e0774d31601f86d77a096ecbb74814a5a3517b7405134261f26c7d0a3876a570da66347e84d29ede
SSDEEP

12288:o7FvizoyZ7UtcPZe69HP/RdAJrz7KKLjKdUcLz9dnHJZs:oxEFZ7Ui99HvEzxjiUYdnU

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe

Resource

win7-20241010-en

xworm execution rat trojan

windows7-x64

15 signatures

120 seconds

Behavioral task

behavioral2

Sample

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

15 signatures

120 seconds

Malware Config

Extracted

Family

xworm

C2

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Targets

- Target
  
  eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
- Size
  
  625KB
- MD5
  
  3a2f7315aa9aa110c98c396bff591c0d
- SHA1
  
  33793dfc29dc8997ad535aa5a4af58b699e864a0
- SHA256
  
  eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8
- SHA512
  
  79a33baa45a0e6ef6bf9dfadee5b9bad82cd26adda7a5673e0774d31601f86d77a096ecbb74814a5a3517b7405134261f26c7d0a3876a570da66347e84d29ede
- SSDEEP
  
  12288:o7FvizoyZ7UtcPZe69HP/RdAJrz7KKLjKdUcLz9dnHJZs:oxEFZ7Ui99HvEzxjiUYdnU
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy