xworm | 53ee6d52394d65188f8708b169671078b933db86b2593ca50cba2a135edb4bb6 | Triage

Sharing

General

Target

53ee6d52394d65188f8708b169671078b933db86b2593ca50cba2a135edb4bb6
Size

71KB
Sample

241202-11c2zavpfs
MD5

0a30907e43f657a9909dcc8f8094d378
SHA1

35bf09ed9ad5b7391322a472be81fb83301ebc98
SHA256

53ee6d52394d65188f8708b169671078b933db86b2593ca50cba2a135edb4bb6
SHA512

55d1c293476803eda980ba5694c91a67575e7271210cba5e7ada964ea8678d0022fa44b5bfaf3e05fec65149a137fb772cbdf080d829039728f01307e5798fe1
SSDEEP

1536:pfUlgsAJKf6ng5Qbp/dpiXVfpsRDSF86MicnaIqbsOQzCo+KB:8gsXQbpD8mWFO9IsO4vJB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

24.ip.gl.ply.gg:6239

Attributes

Install_directory
%AppData%
install_file
WinRAR.exe

Targets

- Target
  
  53ee6d52394d65188f8708b169671078b933db86b2593ca50cba2a135edb4bb6
- Size
  
  71KB
- MD5
  
  0a30907e43f657a9909dcc8f8094d378
- SHA1
  
  35bf09ed9ad5b7391322a472be81fb83301ebc98
- SHA256
  
  53ee6d52394d65188f8708b169671078b933db86b2593ca50cba2a135edb4bb6
- SHA512
  
  55d1c293476803eda980ba5694c91a67575e7271210cba5e7ada964ea8678d0022fa44b5bfaf3e05fec65149a137fb772cbdf080d829039728f01307e5798fe1
- SSDEEP
  
  1536:pfUlgsAJKf6ng5Qbp/dpiXVfpsRDSF86MicnaIqbsOQzCo+KB:8gsXQbpD8mWFO9IsO4vJB
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan