xworm | 58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8 | Triage

Sharing

General

Target

58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe
Size

168KB
Sample

241118-tl758szekh
MD5

aee93634e5040dc2a7ae6ebc7e06b952
SHA1

41f2ab5f784252217a5c1516cd76dbffd67bbeac
SHA256

58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8
SHA512

673ed7d77a1b025c120f9e99bc81e857158420adc380094b620b62ce9c38daf8f7b11d9788d1861da0cff71285fba228f80f2c8a872589f47373eb126b65f06e
SSDEEP

3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioiM:glbRFLsaPfmK6HwXDXsFglf7gya4tmB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

activities-mustang.gl.at.ply.gg:54756

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8.exe
- Size
  
  168KB
- MD5
  
  aee93634e5040dc2a7ae6ebc7e06b952
- SHA1
  
  41f2ab5f784252217a5c1516cd76dbffd67bbeac
- SHA256
  
  58f9f63d8670db392456194af508ecd14dc67e6cb6c12bb97e6dc3c6e6a235c8
- SHA512
  
  673ed7d77a1b025c120f9e99bc81e857158420adc380094b620b62ce9c38daf8f7b11d9788d1861da0cff71285fba228f80f2c8a872589f47373eb126b65f06e
- SSDEEP
  
  3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioiM:glbRFLsaPfmK6HwXDXsFglf7gya4tmB
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan