xworm | adf1fdc27468d99ac5169485c733eb472d00c79ba4c4d07c7d7f396ca19d7d70 | Triage

Sharing

General

Target

s3_n.exe
Size

5.5MB
Sample

241203-l697bs1jax
MD5

0e747d8ff04debc20e1f2df6c71b9190
SHA1

76d41d66c9ede87d1aa52492a308087e2063e258
SHA256

adf1fdc27468d99ac5169485c733eb472d00c79ba4c4d07c7d7f396ca19d7d70
SHA512

ada850b09e34000e2e4d499ee1c915853ee646a2b8fe2da881541635ba3806eb0e035f08376359fb88696d8eabb08e3efd42f2cd60c4c73db431cc45a31c1e87
SSDEEP

49152:3eR7xTxs5J/ClgJZGq1XNWqAqaCeOw/efl7zYIx2jy5EJfDxY8bw0PXM2W0wplmP:OB4/CZzr8fl7EOE0mmS1

Score

10^/10

xworm defense_evasion execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

U7sKl0tpfhRT8PYA

Attributes

Install_directory
%LocalAppData%
install_file
rundll64.exe
pastebin_url
https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

- Target
  
  s3_n.exe
- Size
  
  5.5MB
- MD5
  
  0e747d8ff04debc20e1f2df6c71b9190
- SHA1
  
  76d41d66c9ede87d1aa52492a308087e2063e258
- SHA256
  
  adf1fdc27468d99ac5169485c733eb472d00c79ba4c4d07c7d7f396ca19d7d70
- SHA512
  
  ada850b09e34000e2e4d499ee1c915853ee646a2b8fe2da881541635ba3806eb0e035f08376359fb88696d8eabb08e3efd42f2cd60c4c73db431cc45a31c1e87
- SSDEEP
  
  49152:3eR7xTxs5J/ClgJZGq1XNWqAqaCeOw/efl7zYIx2jy5EJfDxY8bw0PXM2W0wplmP:OB4/CZzr8fl7EOE0mmS1
Score

10^/10

xworm defense_evasion execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdefense_evasionexecutionrattrojan