xworm | 6fd73d755b0173df9d053ee54130059e4ffabbd12cf220a4475137943cae7461 | Triage

Sharing

General

Target

nnn.txt
Size

1.1MB
Sample

241203-nrpcestmcw
MD5

d339683a764e49413878a53ecca1115e
SHA1

b1cdad94beb95570bf79ce8ddce303a6adc6a645
SHA256

6fd73d755b0173df9d053ee54130059e4ffabbd12cf220a4475137943cae7461
SHA512

1ad85d4af989bcbae1a9d14fd46adacef7fc060997171d4685bdc64f55fe0dcd3b006764e68ac89c61ccd43a2273a0abdb71b3b3ef29708dbd68c3391bcc9649
SSDEEP

24576:/2YKVYezmE95uretDFKzOBEwAftuvmYpMtSHc/JW1:/2YKVPCeeb5YO908/JW

Score

10^/10

xworm collection discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

41.216.183.218:59865

Mutex

uPvgCPFOpAYI9aFz

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  nnn.txt
- Size
  
  1.1MB
- MD5
  
  d339683a764e49413878a53ecca1115e
- SHA1
  
  b1cdad94beb95570bf79ce8ddce303a6adc6a645
- SHA256
  
  6fd73d755b0173df9d053ee54130059e4ffabbd12cf220a4475137943cae7461
- SHA512
  
  1ad85d4af989bcbae1a9d14fd46adacef7fc060997171d4685bdc64f55fe0dcd3b006764e68ac89c61ccd43a2273a0abdb71b3b3ef29708dbd68c3391bcc9649
- SSDEEP
  
  24576:/2YKVYezmE95uretDFKzOBEwAftuvmYpMtSHc/JW1:/2YKVPCeeb5YO908/JW
Score

10^/10

discovery xworm collection rat spyware stealer trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormcollectiondiscoveryratspywarestealertrojan