xworm

Sharing

Copy URL

Twitter E-mail

General

Target

PrivateKeyinfected.zip
Size

137KB
Sample

241203-ht3pyazqhn
MD5

70d06330e186df7cc1230934f1c2fc13
SHA1

0b34665615ce674e3d5597f195e1dc018c154ec3
SHA256

31b5dd4b9119afd13692f5a3d204b139fe78affae1d1ceb6ca426ea59d8a1df1
SHA512

1c2e0c1f9ef11fb600a6ce35325a44faf228aa17dca7dbfa1001fa3c2333725d4fe46490921329a2eebe638d930e4152a50ccdf7830bbf8240806c2d128716de
SSDEEP

3072:gJLIHRnm9UzCz+J8qETkduWSmRVtVHWWqVrAUEUy6c2kinJhtORQe:yL79UzCyJ3Ok79bZqVVyVQns

Score

10^/10

Malware Config

Targets

- Target
  
  Private Key/AUTHZAX.DLL
- Size
  
  67KB
- MD5
  
  6d7aaaadf2bb5a485c9af58f73641379
- SHA1
  
  0cf59ade584b41a987cd256172633d5f78bdd64d
- SHA256
  
  21bd2da73c0fd41e35999b01e695e8187741812a138494ad4b2d3c4e5241937d
- SHA512
  
  ce97970c9cd42944c4d08438962297e3215595254776db6d732298984ccd9ee8778ec83b5f39d229d89b6fc4c0d49647a78120fce0acc03fa3bb60ea91cfd6b0
- SSDEEP
  
  768:hV2w7WuYlsz1Zha3S0EJaKZf3VcvB/2AgbfViz7/TFFGVOucKfsgx9e3PlYZKO+Q:mwJYKs8XMTf7/TX6e3PYKO+oU795Y
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2
- Target
  
  Private Key/BCSAutogen.dll
- Size
  
  48KB
- MD5
  
  16e35e8821dc8d90348f274efa941792
- SHA1
  
  698599ee94bf4e4c271e989699e288bbd5fc31e3
- SHA256
  
  c37325c2ce7803f93033090a477df7a8588d5a1cdef6cc0cea44e299bf8da989
- SHA512
  
  879dd4c8cd4bdf4ffbbb6affd259ff47bf4077e6686808a91b10fc0fdb234139dc3ed69e40ce3ca31f0b0bb1d7ea940fd0b6c0317e0865883eb2283c50abfdc9
- SSDEEP
  
  768:OmA/lY8mNiYiVvpT/Ix7Y40DX/AdFepp83LSw2eAOswwbz64cROMi2jpv:mlYH6vdw0/AS+WeAOsfbz64g595
Score

1^/10
behavioral3 behavioral4
- Target
  
  Private Key/BCSClient.Msg.dll
- Size
  
  38KB
- MD5
  
  5cb87afc5f4c9c46819d26d8fa3f5c44
- SHA1
  
  706c5a662a7dd76cf5ba832fba1835528931d863
- SHA256
  
  49871714d54dc38e91777cfb4cdc9117cc7b22693db054851b1992202ba4b7e1
- SHA512
  
  eadca1a9437793b4d4fd6eeeab247051b0fd594d94b990d3f7b0328e82bab62282d4d2e93b83e68d0638b6587db7eefd9b87bc2331e05f236e9426e0954889f6
- SSDEEP
  
  384:uTKH7lynP81JsaRSJt/KQocMIq8MffHI3rbZKpUMFLXci2jpv3q:uTg7eP81Kast/KzHABuZMi2jpv6
Score

1^/10
behavioral5 behavioral6
- Target
  
  Private Key/PrivateKey.exe
- Size
  
  154KB
- MD5
  
  862464171ecda5723495bb550333299d
- SHA1
  
  758a01822fc99784aa4aee11320c5d0ef9f9144a
- SHA256
  
  351204f597cc50297b451ec81afc83c4f36051a02a53337717d60f2d44af75eb
- SHA512
  
  7a9207c86f48242a8eac5bc023a489fdf07cc6773f77661c9014e567bc210828fcd87af956c419bc07c6438c422f5a8d98c1b30deb6852030e364f64edbc47ce
- SSDEEP
  
  3072:DgBYQ1F57Um2xodoYCIERvrdboeIPPQxRzWr:kBb53ERvrdbsPIxRzW
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Adds Run key to start application
  persistence
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Event Triggered Execution: Component Object Model Hijacking

Detect Xworm Payload

Xworm family

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8