xworm | 3f72d384eb716a3fb5da70541e033e0dca76f2479d8c64c0087c8c9dc3c6148b | Triage

Submit
Reports

Overview

overview

Static

static

rat.exe

windows7-x64

rat.exe

windows10-2004-x64

Sharing

General

Target

rat.exe
Size

41KB
Sample

241120-t9nrhayhng
MD5

4f1165749ca148c4e5e1cc9668b77362
SHA1

59bc26664dc28a62583406c4a76ecc63e5868dc8
SHA256

3f72d384eb716a3fb5da70541e033e0dca76f2479d8c64c0087c8c9dc3c6148b
SHA512

610f4939228790155716ec3574838a6dd49a339dd669667fcd4a2dd552f3558c82ac3f51507b91ba7d26717007095114cfc5b313d6db93a6b10fe905869b7c5a
SSDEEP

768:8yIOKKVKWC6uzXvgggCLJF5PG9pmeX6vOwhT3Emzy:8zbKVKWLcXvvgcFI9AeX6vOwt9O

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

rat.exe

Resource

win7-20240903-en

xworm execution persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

rat.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tcp://ikonik2681-35277.portmap.host:35277

Mutex

E9ghqILQRlbkHiLe

Attributes

Install_directory
%AppData%
install_file
$77MicrosoftDefender.exe

aes.plain

Targets

- Target
  
  rat.exe
- Size
  
  41KB
- MD5
  
  4f1165749ca148c4e5e1cc9668b77362
- SHA1
  
  59bc26664dc28a62583406c4a76ecc63e5868dc8
- SHA256
  
  3f72d384eb716a3fb5da70541e033e0dca76f2479d8c64c0087c8c9dc3c6148b
- SHA512
  
  610f4939228790155716ec3574838a6dd49a339dd669667fcd4a2dd552f3558c82ac3f51507b91ba7d26717007095114cfc5b313d6db93a6b10fe905869b7c5a
- SSDEEP
  
  768:8yIOKKVKWC6uzXvgggCLJF5PG9pmeX6vOwhT3Emzy:8zbKVKWLcXvvgcFI9AeX6vOwt9O
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy