xworm | 0ebf810b5f45b14e23e4c979a01234713a1716f6ddc406f1205cb913c5bb4331 | Triage

Submit
Reports

Overview

overview

Static

static

XClient2.exe

windows7-x64

XClient2.exe

windows10-2004-x64

Sharing

General

Target

XClient2.exe
Size

73KB
Sample

250119-cdys6asmfl
MD5

b2ef5f0f3fc231b44618d23072656ba2
SHA1

a235bfd290aa924ef88d3904cc708151776bcb21
SHA256

0ebf810b5f45b14e23e4c979a01234713a1716f6ddc406f1205cb913c5bb4331
SHA512

ce174b8c75a45a4664dc1f1957c78fc802cddb00a88310e41ff35e0b6e376e88e3a8ce87111c53c36189e5f650b25e2d41586fcb16dabe732a27138307aeeac3
SSDEEP

1536:axMzsl89sXDQ7wfhaGyH8T+bX04b/6ugpOpeL2llU:axgsaeBYlbXVUpOpeLolU

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient2.exe

Resource

win7-20240903-en

xworm execution persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient2.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

virtual-pointed.gl.at.ply.gg:17000

virtual-pointed.gl.at.ply.gg:17000:17000

127.0.0.1:17000

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Targets

- Target
  
  XClient2.exe
- Size
  
  73KB
- MD5
  
  b2ef5f0f3fc231b44618d23072656ba2
- SHA1
  
  a235bfd290aa924ef88d3904cc708151776bcb21
- SHA256
  
  0ebf810b5f45b14e23e4c979a01234713a1716f6ddc406f1205cb913c5bb4331
- SHA512
  
  ce174b8c75a45a4664dc1f1957c78fc802cddb00a88310e41ff35e0b6e376e88e3a8ce87111c53c36189e5f650b25e2d41586fcb16dabe732a27138307aeeac3
- SSDEEP
  
  1536:axMzsl89sXDQ7wfhaGyH8T+bX04b/6ugpOpeL2llU:axgsaeBYlbXVUpOpeLolU
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy