xworm | 7910204165b5361c5f022e7c8ce510d2947d850f651d4e85f8731d963409e789 | Triage

Submit
Reports

Overview

overview

Static

static

3

VanillaRat.exe

windows7-x64

VanillaRat.exe

windows10-2004-x64

Sharing

General

Target

VanillaRat.exe
Size

1003KB
Sample

241116-vl3fesyras
MD5

63e695a3ac69b33207847c37501dc89c
SHA1

bff6478ffc46201baff8b4e3f8151538a3099ef8
SHA256

7910204165b5361c5f022e7c8ce510d2947d850f651d4e85f8731d963409e789
SHA512

eab4d8e5e0631d1d5dd1a1f2c5f48372fae6143e4a51af3a3ee29fb5b70895a06018589c78c2f2606c6603a777dee5e7b5f29cb4a06f0289f01c287e7a27ab1f
SSDEEP

24576:og59nzOn6RU0rAxGLytABzMjhiZwxbRFXV9VLGIMD:og59ynbvxGLytA2bbFLV

Score

10^/10

xworm evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

VanillaRat.exe

Resource

win7-20240903-en

xworm evasion persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

VanillaRat.exe

Resource

win10v2004-20241007-en

xworm evasion persistence rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  VanillaRat.exe
- Size
  
  1003KB
- MD5
  
  63e695a3ac69b33207847c37501dc89c
- SHA1
  
  bff6478ffc46201baff8b4e3f8151538a3099ef8
- SHA256
  
  7910204165b5361c5f022e7c8ce510d2947d850f651d4e85f8731d963409e789
- SHA512
  
  eab4d8e5e0631d1d5dd1a1f2c5f48372fae6143e4a51af3a3ee29fb5b70895a06018589c78c2f2606c6603a777dee5e7b5f29cb4a06f0289f01c287e7a27ab1f
- SSDEEP
  
  24576:og59nzOn6RU0rAxGLytABzMjhiZwxbRFXV9VLGIMD:og59ynbvxGLytA2bbFLV
Score

10^/10

xworm evasion persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormevasionpersistencerattrojan

behavioral2

xwormevasionpersistencerattrojan

© 2018-2025

Terms | Privacy