xworm | b15e57df1ab1fc902337d52f633267b802ccee6f37ba21ca065ae14380817081 | Triage

Sharing

General

Target

PO#8329837372938383839238PDF.exe
Size

177KB
Sample

241121-jvej6svkbm
MD5

ba88dca6e9d0a6f55a8addc30b02d988
SHA1

f48b8d8255a9192675dde74ef7db412fcb528792
SHA256

b15e57df1ab1fc902337d52f633267b802ccee6f37ba21ca065ae14380817081
SHA512

f10c077bb1aa2c0c32ce0dc03a0b3e27f838b98c1251d7540d2d81e7c3b13ee45cfcb79be085ea83dd12ee9eb0613a1fc116f9283236379fdf85320199a6e2c3
SSDEEP

3072:jvXdvpzRm9npGJyJObSGOOs3KI/ZMQRoGaHn2J:jvXdvpzRmzm/bSGOOs3KI/GQI

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

nwamama.ydns.eu:3791

Mutex

bUIwrJMMMqrauUWR

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  PO#8329837372938383839238PDF.exe
- Size
  
  177KB
- MD5
  
  ba88dca6e9d0a6f55a8addc30b02d988
- SHA1
  
  f48b8d8255a9192675dde74ef7db412fcb528792
- SHA256
  
  b15e57df1ab1fc902337d52f633267b802ccee6f37ba21ca065ae14380817081
- SHA512
  
  f10c077bb1aa2c0c32ce0dc03a0b3e27f838b98c1251d7540d2d81e7c3b13ee45cfcb79be085ea83dd12ee9eb0613a1fc116f9283236379fdf85320199a6e2c3
- SSDEEP
  
  3072:jvXdvpzRm9npGJyJObSGOOs3KI/ZMQRoGaHn2J:jvXdvpzRmzm/bSGOOs3KI/GQI
Score

10^/10

discovery xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryrattrojan