xworm

General

Target

ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
Size

49KB
Sample

241121-nchw4ascpn
MD5

718cb27afcc862a09f8275b7e738be09
SHA1

38e11449118b1b54a44a1a09b40ea7547103ad8c
SHA256

ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
SHA512

616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67
SSDEEP

768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7772

13.71.91.225:7772

Mutex

Sapr6UBSh6DxjMnP

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7585343577:AAHgS-QNhULHIXmK3EKIXWuMP2uRNZpJjd8/sendMessage?chat_id=5424396760

aes.plain

Targets

- Target
  
  ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
- Size
  
  49KB
- MD5
  
  718cb27afcc862a09f8275b7e738be09
- SHA1
  
  38e11449118b1b54a44a1a09b40ea7547103ad8c
- SHA256
  
  ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
- SHA512
  
  616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67
- SSDEEP
  
  768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2