xworm | e9bea6465a06ebf414dff5f3cd7a869b96999e6e362f91248f87bae54c53c498 | Triage

Sharing

General

Target

FIVEM Spoofer v2.0.1.rar
Size

49KB
Sample

241203-3x742s1kgw
MD5

62ea69cdeaa12c133d9da828d8ba3401
SHA1

7c6ce70edc31df775b33247de921bae71d6cb840
SHA256

e9bea6465a06ebf414dff5f3cd7a869b96999e6e362f91248f87bae54c53c498
SHA512

ba45067e6fe30ce4398171613709aba36fb5f1c41dad4bc6db722c5c4ca0131ec8edc740f03823ac07e4b1aa17536c5015e4f7b42feda24824a891ca2be7b4f7
SSDEEP

768:4zCbB0dPsGrmrMPwTPFEKy4E4hOUrxC6ZiB/8xN6tMeREJtYOcVBzyqHfrc:UEB0RsGrh2PWvjU17Z0t9R8+thA

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
microsoft.exe
pastebin_url
https://pastebin.com/raw/N6pAtM1g
telegram
https://api.telegram.org/bot8194509243:AAHuGycCOOCR1qZuZsQobJEKrfnKQFVeryI/sendMessage?chat_id=6570700929

Targets

- Target
  
  FIVEM Spoofer v2.0.1.exe
- Size
  
  85KB
- MD5
  
  a63586f1478b1a6ccdfc243436ba13a9
- SHA1
  
  dc6f913c7b7b1961f0e5cbcb21db6babe8bd0c6e
- SHA256
  
  c3820247a9d7005a14428218a4a66d7636258806498b8921963e73eecba9e67d
- SHA512
  
  442c75f0e3fef39cb5b81bb80e621bb5574d386ffab7d1d170469368422f4678aa249716cdca69b1deb25da4fc1a0f5730e4495f4f29cb0d78d29bdc6e0a4fd9
- SSDEEP
  
  1536:RW7GBhNS+vJBDv2wv+l+2U5mV7GVt0Gmdos2rcLEOgbv8b4ycK+b7Lik6HC8h95l:E7eNS+vJBDv2wvytVgt9x6gbv8b44478
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan