xworm | 31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d | Triage

Submit
Reports

Overview

overview

Static

static

eternal.exe

windows7-x64

eternal.exe

windows10-2004-x64

eternal.exe

windows11-21h2-x64

Sharing

General

Target

eternal.exe
Size

69KB
Sample

241117-l9nshasjfj
MD5

7439cc991a9a756c41153b8e9121baab
SHA1

c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256

31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
SHA512

cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51
SSDEEP

1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

eternal.exe

Resource

win7-20240903-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

eternal.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Behavioral task

behavioral3

Sample

eternal.exe

Resource

win11-20241007-en

xworm persistence rat trojan

windows11-21h2-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:33942

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  eternal.exe
- Size
  
  69KB
- MD5
  
  7439cc991a9a756c41153b8e9121baab
- SHA1
  
  c62528386e5f62ff2975cc8ed0cad3a7d362e632
- SHA256
  
  31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
- SHA512
  
  cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51
- SSDEEP
  
  1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

behavioral3

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy