xworm | 2b60d620e823ec02ddc282697d4d9fb1f444463081f04fd06438a7bc96a9ef6a | Triage

Sharing

General

Target

WizWorm.exe
Size

14.4MB
Sample

241120-c81w1azbrm
MD5

7b482bfebde8df6acddf6ade34bdc08c
SHA1

bb8515e16d931d9482d0231adc1f6e15eb2fd3e2
SHA256

2b60d620e823ec02ddc282697d4d9fb1f444463081f04fd06438a7bc96a9ef6a
SHA512

66a1503cd25f8ffca00c0f13683116bdf53a99a41764715823a398da9777795ce64aa3160a32d39f424407648eaec3fc2637482a280994fa6477b53450e08b9d
SSDEEP

393216:8b8KCaXxgAAtOdR7eHNhoTP81jIMCrSAPp14uKVQ2E0iQII/1:8b8KRXxqtHthoTlPpftQIs1

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

mailing-perception.gl.at.ply.gg:63145

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Targets

- Target
  
  WizWorm.exe
- Size
  
  14.4MB
- MD5
  
  7b482bfebde8df6acddf6ade34bdc08c
- SHA1
  
  bb8515e16d931d9482d0231adc1f6e15eb2fd3e2
- SHA256
  
  2b60d620e823ec02ddc282697d4d9fb1f444463081f04fd06438a7bc96a9ef6a
- SHA512
  
  66a1503cd25f8ffca00c0f13683116bdf53a99a41764715823a398da9777795ce64aa3160a32d39f424407648eaec3fc2637482a280994fa6477b53450e08b9d
- SSDEEP
  
  393216:8b8KCaXxgAAtOdR7eHNhoTP81jIMCrSAPp14uKVQ2E0iQII/1:8b8KRXxqtHthoTlPpftQIs1
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan