xworm | 65975962e36d40cc5df6bbd46468e7eea057dbf0a5d736a5b09ca9fb86f76e69 | Triage

Submit
Reports

Overview

overview

Static

static

spoofer test.7z

windows7-x64

spoofer test.7z

windows10-2004-x64

Sharing

General

Target

spoofer test.7z
Size

50KB
Sample

241204-ss785svmbp
MD5

8b3a44d1922c7266bc6ef1e8678411a5
SHA1

ebf3cb0418459364ba1b6c11911aaca37db96237
SHA256

65975962e36d40cc5df6bbd46468e7eea057dbf0a5d736a5b09ca9fb86f76e69
SHA512

13b4fa66c9fdbbbb911351e0e4090c56e686a8f8880ea32bba839620666c15df62e8e3fbd2993897caf2a4e4395a1f1123dcc22576a1bd048b09da6ce3a19eff
SSDEEP

1536:DFwJbKfTJvHdEGWe1xa0CgJVaJmNPIHWf:pwJbMTN+Aq0CiM2Pzf

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

spoofer test.7z

Resource

win7-20240903-en

xworm execution persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

spoofer test.7z

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

six-usb.gl.at.ply.gg:49722

Attributes

Install_directory
%Userprofile%
install_file
System User.exe

Targets

- Target
  
  spoofer test.7z
- Size
  
  50KB
- MD5
  
  8b3a44d1922c7266bc6ef1e8678411a5
- SHA1
  
  ebf3cb0418459364ba1b6c11911aaca37db96237
- SHA256
  
  65975962e36d40cc5df6bbd46468e7eea057dbf0a5d736a5b09ca9fb86f76e69
- SHA512
  
  13b4fa66c9fdbbbb911351e0e4090c56e686a8f8880ea32bba839620666c15df62e8e3fbd2993897caf2a4e4395a1f1123dcc22576a1bd048b09da6ce3a19eff
- SSDEEP
  
  1536:DFwJbKfTJvHdEGWe1xa0CgJVaJmNPIHWf:pwJbMTN+Aq0CiM2Pzf
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy