xworm | fc61030b2b9431b0bb5f1a39e4d2a225fd737f143a7f7bf552aaed1ea9a8549e | Triage

Submit
Reports

Overview

overview

Static

static

Api-AutoUp...es.exe

windows11-21h2-x64

Sharing

General

Target

Api-AutoUpdater-Click-yes.exe
Size

205KB
Sample

241117-hqgy3atgkb
MD5

d56646c8251432a184a2154302512e29
SHA1

acfa04f7245e24eac7f452fb576ccc606655418f
SHA256

fc61030b2b9431b0bb5f1a39e4d2a225fd737f143a7f7bf552aaed1ea9a8549e
SHA512

566a51751e6bdc67fb06d4bce8ce2141298475e34b6fdcdba42de2ca74eb02c19b10962707eb6bb96cc6f7ce202130b3d16a64b4feb4578a6cfaa322fefb57db
SSDEEP

6144:7SncRl9Fb3g/7CbCR5F5I5eJAdbyVTqkbtP:e4LZg/OoFS5Fbw

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Api-AutoUpdater-Click-yes.exe

Resource

win11-20241007-en

xworm discovery execution persistence rat trojan

windows11-21h2-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Targets

- Target
  
  Api-AutoUpdater-Click-yes.exe
- Size
  
  205KB
- MD5
  
  d56646c8251432a184a2154302512e29
- SHA1
  
  acfa04f7245e24eac7f452fb576ccc606655418f
- SHA256
  
  fc61030b2b9431b0bb5f1a39e4d2a225fd737f143a7f7bf552aaed1ea9a8549e
- SHA512
  
  566a51751e6bdc67fb06d4bce8ce2141298475e34b6fdcdba42de2ca74eb02c19b10962707eb6bb96cc6f7ce202130b3d16a64b4feb4578a6cfaa322fefb57db
- SSDEEP
  
  6144:7SncRl9Fb3g/7CbCR5F5I5eJAdbyVTqkbtP:e4LZg/OoFS5Fbw
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy