xworm | 0f06d9dfb9badfd337bd1dfb21f8b0ebb934e81072cddcef3d8466e526f2275b | Triage

Submit
Reports

Overview

overview

Static

static

xdblake.exe

windows7-x64

xdblake.exe

windows10-2004-x64

Sharing

General

Target

xdblake.exe
Size

66KB
Sample

241118-t4j65a1dln
MD5

bca20b0a6a3877b3bbedd6595e804164
SHA1

0bfd19a1dac3f937098aa005ff0b5aab2e767663
SHA256

0f06d9dfb9badfd337bd1dfb21f8b0ebb934e81072cddcef3d8466e526f2275b
SHA512

4932b511e0429f3a97b726483a87641d579a0d0d8f61c2771eb900baaffe36ea9ee2fba4e098fd922dc3c2aab8b0684483096ed9eb0de23cdc97f63ac449ac32
SSDEEP

1536:aefDEXUBdPPSuPr+hBcbDVnjXVQ6eK4ORonSLIF:aextSuPr4BcbpjFIK4O6nSsF

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

xdblake.exe

Resource

win7-20241010-en

xworm execution persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

xdblake.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

yet-assist.gl.at.ply.gg:63100

Attributes

Install_directory
%ProgramData%
install_file
$77wsappx.exe

Targets

- Target
  
  xdblake.exe
- Size
  
  66KB
- MD5
  
  bca20b0a6a3877b3bbedd6595e804164
- SHA1
  
  0bfd19a1dac3f937098aa005ff0b5aab2e767663
- SHA256
  
  0f06d9dfb9badfd337bd1dfb21f8b0ebb934e81072cddcef3d8466e526f2275b
- SHA512
  
  4932b511e0429f3a97b726483a87641d579a0d0d8f61c2771eb900baaffe36ea9ee2fba4e098fd922dc3c2aab8b0684483096ed9eb0de23cdc97f63ac449ac32
- SSDEEP
  
  1536:aefDEXUBdPPSuPr+hBcbDVnjXVQ6eK4ORonSLIF:aextSuPr4BcbpjFIK4O6nSsF
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy