xworm | 12dc0a56caae75015dfee9c04bb256ae494341aab3e2f8456e028564695c9c97 | Triage

Submit
Reports

Overview

overview

Static

static

3

4560c26325...42.exe

windows7-x64

4560c26325...42.exe

windows10-2004-x64

Sharing

General

Target

4f0c8a81138b78a1f40ef1d383632130.bin
Size

91KB
Sample

241119-blzvraykav
MD5

d47cc5a7b9f99b4955408f85920c3bb4
SHA1

b7076c6fa3fbcd4cf976d0026b394751e72782ff
SHA256

12dc0a56caae75015dfee9c04bb256ae494341aab3e2f8456e028564695c9c97
SHA512

e8e80e43fd9c1cf1a73fd750b48ca26821e690c7bf5dc4a604bdd4c002bb7652c2f67397b3afcda439a563a394c551861f593519c40b352c7ba164f7f3a3a93c
SSDEEP

1536:8DWgr6AFcJFBE+dj5lJt7dc1ovy+8Ykzgsn9qsUMsTP9Rw8XG5f70JTfl5WZ40fj:DY6BFllb5c1ov0BLnFsT1WMWf701/WGM

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe

Resource

win7-20240729-en

xworm execution persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

left-noon.gl.at.ply.gg:60705

Attributes

Install_directory
%AppData%
install_file
US11B.exe

Targets

- Target
  
  4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
- Size
  
  116KB
- MD5
  
  4f0c8a81138b78a1f40ef1d383632130
- SHA1
  
  96b6c6ff5c5b1aa90014e975bb851d23acbed598
- SHA256
  
  4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42
- SHA512
  
  687dddf2a070acbb5eee3af912dc1461968a67b05992f76f5a77a5bb0d773ae1049c7e44386c4a44d5971ace7784a8601c2fc3f47f1f8dbbb06a7e04646bbf1c
- SSDEEP
  
  3072:oziOToQz31V4b1pCoLd7H7dwsIc6rmGBLYdLrfncO:+ToQzFjox7bCs5WmGVYVrfn
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy