xworm | 49dd5def78f486c8827daa85c840cee3c4292595c634af94780f05993d9128c6 | Triage

Sharing

General

Target

49dd5def78f486c8827daa85c840cee3c4292595c634af94780f05993d9128c6.exe
Size

50KB
Sample

241203-nfzc9asrdz
MD5

d08c6251a4242a295b2b12f099d11670
SHA1

11c079d31ebf1732fbe65f83a0be15202478967f
SHA256

49dd5def78f486c8827daa85c840cee3c4292595c634af94780f05993d9128c6
SHA512

ba74639a5e7ae6add2a28ab4c15067ce77f241805a102356759bc1fbb032f89c56bfb44c9d7cdcbfcc1782d64e012859b10559d7e8b81aab894e6cc66fd2ddce
SSDEEP

1536:0Q1Zw+K5/jjV6wTO+bOekp4G60r0MOT/LgF:e5bjMz+bOIA/OTTgF

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

24.ip.gl.ply.gg:12722

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  49dd5def78f486c8827daa85c840cee3c4292595c634af94780f05993d9128c6.exe
- Size
  
  50KB
- MD5
  
  d08c6251a4242a295b2b12f099d11670
- SHA1
  
  11c079d31ebf1732fbe65f83a0be15202478967f
- SHA256
  
  49dd5def78f486c8827daa85c840cee3c4292595c634af94780f05993d9128c6
- SHA512
  
  ba74639a5e7ae6add2a28ab4c15067ce77f241805a102356759bc1fbb032f89c56bfb44c9d7cdcbfcc1782d64e012859b10559d7e8b81aab894e6cc66fd2ddce
- SSDEEP
  
  1536:0Q1Zw+K5/jjV6wTO+bOekp4G60r0MOT/LgF:e5bjMz+bOIA/OTTgF
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan