xworm | 92928576a5025f65731d63ef466da320c30d77597870966a0ec1c8adb742495b | Triage

Submit
Reports

Overview

overview

Static

static

1

5d7ba3966a...61.png

windows11-21h2-x64

Sharing

General

Target

5d7ba3966a48563f7e6b3e2161df4161.png
Size

174KB
Sample

241118-wjfdjs1qfv
MD5

3d83f69ea35a4f67a5affa842a02cda9
SHA1

0b02a589b5716d85163d6f0a275b5694370d8185
SHA256

92928576a5025f65731d63ef466da320c30d77597870966a0ec1c8adb742495b
SHA512

3f3f9bb917dc4957d160a4bb4d8b3a6238193d8b4dbab0514a95bd703682c74be936af9815ac03a65254ece579f251ea67443c8a045c1afb89b18ecda18617a5
SSDEEP

3072:hWLLhhZ7r1/DbdJnjtasC7vl9DX61WMRU1fFFQBSPFdOC5mfvq7atuQ:hWnlv1/PXjtaJ7HDX61dRU1NiyjA5tt

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

5d7ba3966a48563f7e6b3e2161df4161.png

Resource

win11-20241007-en

xworm defense_evasion discovery execution rat trojan

windows11-21h2-x64

29 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

man-laughing.gl.at.ply.gg:57783

Attributes

Install_directory
%LocalAppData%
install_file
Windows Data Compiler.exe

Targets

- Target
  
  5d7ba3966a48563f7e6b3e2161df4161.png
- Size
  
  174KB
- MD5
  
  3d83f69ea35a4f67a5affa842a02cda9
- SHA1
  
  0b02a589b5716d85163d6f0a275b5694370d8185
- SHA256
  
  92928576a5025f65731d63ef466da320c30d77597870966a0ec1c8adb742495b
- SHA512
  
  3f3f9bb917dc4957d160a4bb4d8b3a6238193d8b4dbab0514a95bd703682c74be936af9815ac03a65254ece579f251ea67443c8a045c1afb89b18ecda18617a5
- SSDEEP
  
  3072:hWLLhhZ7r1/DbdJnjtasC7vl9DX61WMRU1fFFQBSPFdOC5mfvq7atuQ:hWnlv1/PXjtaJ7HDX61dRU1NiyjA5tt
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Window

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy