xworm | f1db2121b89f530bd74ed44c8a14e2ee3734db74fbb722f16c9f2466fb6e23c4 | Triage

Sharing

General

Target

f1db2121b89f530bd74ed44c8a14e2ee3734db74fbb722f16c9f2466fb6e23c4
Size

366KB
Sample

241203-pvdkrs1lgq
MD5

4f5692a403b1b3dd667c76ce1f11d880
SHA1

383940ce84f31672f1ce3e029a2a62f8c4fd71df
SHA256

f1db2121b89f530bd74ed44c8a14e2ee3734db74fbb722f16c9f2466fb6e23c4
SHA512

f0a1af04232e625800973b2b9f83d8273fffb7abda790007fef58b2e1a644a530a30df0bea2e66714ba7512f930a3e8b2af21b03119e783d563edcb22691b248
SSDEEP

6144:RCiEZuBipI7bg0f+UNozkuxatmxY4YihFOwoXrQnY9:kde7My2ogiXE

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Mutex

0LLXgeoJ4l4QFpG6

Attributes

install_file
USBDriver.exe
pastebin_url
https://pastebin.com/raw/FrUYqTuA

aes.plain

Targets

- Target
  
  f1db2121b89f530bd74ed44c8a14e2ee3734db74fbb722f16c9f2466fb6e23c4
- Size
  
  366KB
- MD5
  
  4f5692a403b1b3dd667c76ce1f11d880
- SHA1
  
  383940ce84f31672f1ce3e029a2a62f8c4fd71df
- SHA256
  
  f1db2121b89f530bd74ed44c8a14e2ee3734db74fbb722f16c9f2466fb6e23c4
- SHA512
  
  f0a1af04232e625800973b2b9f83d8273fffb7abda790007fef58b2e1a644a530a30df0bea2e66714ba7512f930a3e8b2af21b03119e783d563edcb22691b248
- SSDEEP
  
  6144:RCiEZuBipI7bg0f+UNozkuxatmxY4YihFOwoXrQnY9:kde7My2ogiXE
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan