xworm | 78644ac0e1fd8d30748e8980d15a0db7dfcd783e5b7b6f72b71d707d1799e1d9 | Triage

Submit
Reports

Overview

overview

Static

static

3

Dek Store.exe

windows7-x64

Dek Store.exe

windows10-2004-x64

Sharing

General

Target

Dek Store.exe
Size

4.0MB
Sample

241117-pt73zszfla
MD5

0e24307ddf87b25a3ca7c5301a393633
SHA1

ec28111e105e95f3835f797d7b88b9ffa3f77683
SHA256

78644ac0e1fd8d30748e8980d15a0db7dfcd783e5b7b6f72b71d707d1799e1d9
SHA512

ae032bc7b20914d52deda07fbc50b593605863ebfb92a62c79cb6ea1efc92c14bb42f8abffc69404aca1f0b6dbf4579ab23d0e36189d371929faa7082be2e52b
SSDEEP

98304:pUZUZBlLQ8OLqmRdmgcmqPkGAnSG6qn4HoLVvrW1f:pjHQ8H0mgcRkGpG6wlr8

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Dek Store.exe

Resource

win7-20241010-en

xworm execution persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Dek Store.exe

Resource

win10v2004-20241007-en

xworm discovery execution persistence rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

185.84.160.238:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  Dek Store.exe
- Size
  
  4.0MB
- MD5
  
  0e24307ddf87b25a3ca7c5301a393633
- SHA1
  
  ec28111e105e95f3835f797d7b88b9ffa3f77683
- SHA256
  
  78644ac0e1fd8d30748e8980d15a0db7dfcd783e5b7b6f72b71d707d1799e1d9
- SHA512
  
  ae032bc7b20914d52deda07fbc50b593605863ebfb92a62c79cb6ea1efc92c14bb42f8abffc69404aca1f0b6dbf4579ab23d0e36189d371929faa7082be2e52b
- SSDEEP
  
  98304:pUZUZBlLQ8OLqmRdmgcmqPkGAnSG6qn4HoLVvrW1f:pjHQ8H0mgcRkGpG6wlr8
Score

10^/10

xworm execution persistence rat trojan discovery
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy