xworm | 7f923d21aabce586b418237b335c8f0fd2e82057bd7f3119804a075af0bd4acb | Triage

Submit
Reports

Overview

overview

Static

static

3

special_function.exe

windows10-ltsc 2021-x64

Sharing

General

Target

special_function.exe
Size

4.1MB
Sample

241116-heedss1jay
MD5

5583ad2b12d90490626b14fb72471ae4
SHA1

89200b1ea2cb8c22b97f93b335d861a7e022478a
SHA256

7f923d21aabce586b418237b335c8f0fd2e82057bd7f3119804a075af0bd4acb
SHA512

4c198116e8bf52f8aa8436e38a2d30604267260f9d74a2c2b6ecf9fdb40d3e0162a34894752ef0cc6b496300cd6e62149020340317cc949db8bf747b03f7255f
SSDEEP

98304:MW2uRdZpGWnfsRnOyPnbK+4AWvxY24eY:gudBB+0vxLY

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

special_function.exe

Resource

win10ltsc2021-20241023-en

xworm execution rat trojan

windows10-ltsc 2021-x64

13 signatures

30 seconds

Malware Config

Extracted

Family

xworm

C2

45.141.27.91:7777

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  special_function.exe
- Size
  
  4.1MB
- MD5
  
  5583ad2b12d90490626b14fb72471ae4
- SHA1
  
  89200b1ea2cb8c22b97f93b335d861a7e022478a
- SHA256
  
  7f923d21aabce586b418237b335c8f0fd2e82057bd7f3119804a075af0bd4acb
- SHA512
  
  4c198116e8bf52f8aa8436e38a2d30604267260f9d74a2c2b6ecf9fdb40d3e0162a34894752ef0cc6b496300cd6e62149020340317cc949db8bf747b03f7255f
- SSDEEP
  
  98304:MW2uRdZpGWnfsRnOyPnbK+4AWvxY24eY:gudBB+0vxLY
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy