xworm | b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38 | Triage

Sharing

General

Target

file.exe
Size

72KB
Sample

241121-1ck3nssndl
MD5

8d52069bd117da94e0b0b70e73e33fb0
SHA1

e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256

b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA512

7a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
SSDEEP

1536:8C7dCCRXek2ycziKLGIp78eax9xbMxioyAgDd+E6V186Oc8E2el:p7MKOHXBGVpxbIEAgRA1dOcYel

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

87.120.112.33:8398

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579

Targets

- Target
  
  file.exe
- Size
  
  72KB
- MD5
  
  8d52069bd117da94e0b0b70e73e33fb0
- SHA1
  
  e8090adddff167e1bda4194af968ba4bc22a2d60
- SHA256
  
  b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
- SHA512
  
  7a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
- SSDEEP
  
  1536:8C7dCCRXek2ycziKLGIp78eax9xbMxioyAgDd+E6V186Oc8E2el:p7MKOHXBGVpxbIEAgRA1dOcYel
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan