xworm | 3d107b55c9f89d5c0f24f05ef990bc8f342908bef31f84088f516e5954f8609c | Triage

Sharing

General

Target

651429675c1d86cf068746159aa66b6d.bin
Size

163KB
Sample

241119-bqnnaaykdt
MD5

78988462e9b0d22cc1633a5000e1f579
SHA1

fc2548cb6dc9e069fad8a48b920b83c7428d2082
SHA256

3d107b55c9f89d5c0f24f05ef990bc8f342908bef31f84088f516e5954f8609c
SHA512

414ed3ff543c43ddbd481530df947ae41330196fda2c28ae0ca61db5ef7a159178e40d33c0e0a79fe13816ce2ed5cb761294cba4ab6bbac3fd2a1f147e3a49b0
SSDEEP

3072:DAdODV98T+vYelSqucTSS+ZX0bMQwc1+asDuTE1cwpFXDyEg:gS8T+vYuZucWS+ZkAU1+RIESG0Eg

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

activities-mustang.gl.at.ply.gg:54756

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
- Size
  
  168KB
- MD5
  
  651429675c1d86cf068746159aa66b6d
- SHA1
  
  aad51d3448cb1e9f337a985ed840a0064d5699ee
- SHA256
  
  30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
- SHA512
  
  397e2a05e8f3d45c04953998a09d76212b38e3dc9073be814cb3010ea94b00733d2557a6e5002b0a2401fb33d62908e794553a6afd31e45b0afe6987806272fb
- SSDEEP
  
  3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioi:glbRFLsaPfmK6HwXDXsFglf7gya4tm
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan