xworm | c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856 | Triage

Submit
Reports

Overview

overview

Static

static

7

XwormLoader.exe

windows7-x64

XwormLoader.exe

windows10-2004-x64

XwormLoader.exe

windows10-ltsc 2021-x64

XwormLoader.exe

windows11-21h2-x64

Sharing

General

Target

XwormLoader.exe
Size

7.9MB
Sample

241117-vh5rdatmby
MD5

5b757c6d0af650a77ba1bf7edea18b36
SHA1

c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3
SHA256

c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856
SHA512

93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960
SSDEEP

196608:T7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:T7yvRZBEP3xZi5Oso+PWbXooL4Sa

Score

10^/10

xworm execution rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

XwormLoader.exe

Resource

win7-20241023-en

xworm execution rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

XwormLoader.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

16 signatures

150 seconds

Behavioral task

behavioral3

Sample

XwormLoader.exe

Resource

win10ltsc2021-20241023-en

xworm execution rat trojan

windows10-ltsc 2021-x64

16 signatures

150 seconds

Behavioral task

behavioral4

Sample

XwormLoader.exe

Resource

win11-20241023-en

xworm execution rat trojan

windows11-21h2-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  XwormLoader.exe
- Size
  
  7.9MB
- MD5
  
  5b757c6d0af650a77ba1bf7edea18b36
- SHA1
  
  c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3
- SHA256
  
  c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856
- SHA512
  
  93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960
- SSDEEP
  
  196608:T7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:T7yvRZBEP3xZi5Oso+PWbXooL4Sa
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

behavioral3

xwormexecutionrattrojan

behavioral4

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy