xworm | 371152817ab82ddb5694d0d6f683d214672e38ecc2f4bfa59cd406e37bdfe0d9 | Triage

Resubmissions

31/12/2024, 16:33

241231-t2hkhsypav 10

31/12/2024, 16:25

241231-txb7yaymdw 10

Sharing

Copy URL Twitter E-mail

General

Target

371152817ab82ddb5694d0d6f683d214672e38ecc2f4bfa59cd406e37bdfe0d9.exe
Size

77KB
Sample

241231-t2hkhsypav
MD5

68efef8fd1a57cae13a047f19f5c3c23
SHA1

eb30546549a7520dda3f9980baee22ce5cb4b704
SHA256

371152817ab82ddb5694d0d6f683d214672e38ecc2f4bfa59cd406e37bdfe0d9
SHA512

0ce2fdb01e5d140a8df6d09cc233b0ddb845ea59da232f1a59977c743a85a89fc72d917ba59e11affc77fdd4a1349028b6bc8825d3481c6c26ec74d656686ab8
SSDEEP

1536:U7pcnFirzFgP25vzL9OpP6KbwMRpxG6+OzL9dzl1:abFgP2lz5OAKbwMvxGOzDl1

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

think-catholic.gl.at.ply.gg:38845

Attributes

Install_directory
%Public%
install_file
shellhost.exe

Targets

- Target
  
  371152817ab82ddb5694d0d6f683d214672e38ecc2f4bfa59cd406e37bdfe0d9.exe
- Size
  
  77KB
- MD5
  
  68efef8fd1a57cae13a047f19f5c3c23
- SHA1
  
  eb30546549a7520dda3f9980baee22ce5cb4b704
- SHA256
  
  371152817ab82ddb5694d0d6f683d214672e38ecc2f4bfa59cd406e37bdfe0d9
- SHA512
  
  0ce2fdb01e5d140a8df6d09cc233b0ddb845ea59da232f1a59977c743a85a89fc72d917ba59e11affc77fdd4a1349028b6bc8825d3481c6c26ec74d656686ab8
- SSDEEP
  
  1536:U7pcnFirzFgP25vzL9OpP6KbwMRpxG6+OzL9dzl1:abFgP2lz5OAKbwMvxGOzDl1
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan