xworm | 160104171f76a625bac4aabf4fa99bc7a6c1c145786ff5bb98a949e40053fdeb | Triage

Submit
Reports

Overview

overview

Static

static

Versal Cli...ta.exe

windows7-x64

Versal Cli...ta.exe

windows10-2004-x64

Sharing

General

Target

Versal Open beta.zip
Size

39KB
Sample

241203-vrpfravmbz
MD5

73485207d11eb8be4890c2fe614ca19f
SHA1

8da62a34b0ad1ba1d76b80dd2814af75060ebe15
SHA256

160104171f76a625bac4aabf4fa99bc7a6c1c145786ff5bb98a949e40053fdeb
SHA512

e5286d2b2dd48e06ba480bb65f9d0328fa35f9d3cb56033c229fe755bc4a7bde33da9262c520e05a2b44347e966f3d8663300e1eac15ff2bac10508fe5375a1c
SSDEEP

768:lDy9l0kputAkzHxHW4MzSKZ0nVtSQAhncWa/HOgM4xDKpfEi72KK:lDhkE5RHW49ttWncWa/OgMYwl2KK

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Versal Client Beta.exe

Resource

win7-20240903-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Versal Client Beta.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

slipprz.duckdns.org:7214

Attributes

Install_directory
%LocalAppData%
install_file
win32services.exe

Targets

- Target
  
  Versal Client Beta.exe
- Size
  
  68KB
- MD5
  
  3e7d64259b363be8f8d3ad5ce94943f4
- SHA1
  
  7e2fa2fb30069c3a7ce3f523440497d30ff6164f
- SHA256
  
  992fa7f194c76a9e6155a13ef849ae3fe55c3bd7954d3a08cff1719fdd16ae1b
- SHA512
  
  cadd51b55ad4ee21ed3c21bc462d034122fb5068c5bd8b82e61f2019c72d70c01f7c3892c916da6b89c39ba73ff9e65e6f52115fac3abc929796194008f0fca4
- SSDEEP
  
  1536:SDhdopFOmcMwSlUHbHzMiwO7EsxNbqFDAkIhQ+pnOhZ46+2dTR1:7OMjYbYiwv6NbqDXQnOPx+Y1
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy