xworm | 94ee5da3dcb01b3f75d0d974d18710293d02806e900cbad3b3401c79b9bf6263 | Triage

Submit
Reports

Overview

overview

Static

static

3

downloader.exe

windows7-x64

1

downloader.exe

windows10-2004-x64

Sharing

General

Target

downloader.exe
Size

30.1MB
Sample

241117-1rwgystngn
MD5

ce51ab4fa2a58a2fa1548f8b5fa4bc83
SHA1

8d89a3fc9a1e4f03e73a1d4509a2ae5e567d6ba3
SHA256

94ee5da3dcb01b3f75d0d974d18710293d02806e900cbad3b3401c79b9bf6263
SHA512

c67652273485d72fde8d0659956429386ececbd17a464ebcd8b01e374a5de83f368483982365242ad77d28fb7a66b709b98aea70834a8613e9bb54debc0b2d16
SSDEEP

393216:R8oimu7izBxR3QRzhzvQ99Sq8lu0q5tDJKoWSxJGBL7asmo+AJCcLKA4:R9w9wD5xUesbJCcg

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

downloader.exe

Resource

win7-20240903-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

downloader.exe

Resource

win10v2004-20241007-en

xworm discovery execution rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Targets

- Target
  
  downloader.exe
- Size
  
  30.1MB
- MD5
  
  ce51ab4fa2a58a2fa1548f8b5fa4bc83
- SHA1
  
  8d89a3fc9a1e4f03e73a1d4509a2ae5e567d6ba3
- SHA256
  
  94ee5da3dcb01b3f75d0d974d18710293d02806e900cbad3b3401c79b9bf6263
- SHA512
  
  c67652273485d72fde8d0659956429386ececbd17a464ebcd8b01e374a5de83f368483982365242ad77d28fb7a66b709b98aea70834a8613e9bb54debc0b2d16
- SSDEEP
  
  393216:R8oimu7izBxR3QRzhzvQ99Sq8lu0q5tDJKoWSxJGBL7asmo+AJCcLKA4:R9w9wD5xUesbJCcg
Score

10^/10

xworm discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy