xworm | f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6 | Triage

Submit
Reports

Overview

overview

Static

static

3

f0d99388ad...a6.exe

windows7-x64

f0d99388ad...a6.exe

windows10-2004-x64

Sharing

General

Target

f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6.exe
Size

7.7MB
Sample

250119-fqccgawph1
MD5

6f0da64ec09a64c1023210601daebd47
SHA1

8a3f884823e2e0f6812815daaa2649f3d265fddf
SHA256

f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6
SHA512

395785cd5906b1abb95fe5ae8a78baafeeea4a7cbb66e7a6c60c927e33e185886cd8ee95fed308a2268b94f005c49ec1589381cf9f4b3911bb5232d38380f78f
SSDEEP

196608:h6GGgRJEK4OCORRpwPtYGfQeK6a/Js6N8imDg+BIu3jpx4hT:8GGoRRI2ht/Js6N83n1jpx8T

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6.exe

Resource

win7-20240903-en

xworm discovery execution persistence pyinstaller rat trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6.exe

Resource

win10v2004-20241007-en

xworm discovery execution persistence pyinstaller rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

indian-tall.gl.at.ply.gg:65520

Attributes

Install_directory
%AppData%
install_file
keyauth.exe

Targets

- Target
  
  f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6.exe
- Size
  
  7.7MB
- MD5
  
  6f0da64ec09a64c1023210601daebd47
- SHA1
  
  8a3f884823e2e0f6812815daaa2649f3d265fddf
- SHA256
  
  f0d99388ad3f8c9d1dfa1c1f21009f2119519236588b3949854eb9dc6ca44da6
- SHA512
  
  395785cd5906b1abb95fe5ae8a78baafeeea4a7cbb66e7a6c60c927e33e185886cd8ee95fed308a2268b94f005c49ec1589381cf9f4b3911bb5232d38380f78f
- SSDEEP
  
  196608:h6GGgRJEK4OCORRpwPtYGfQeK6a/Js6N8imDg+BIu3jpx4hT:8GGoRRI2ht/Js6N83n1jpx8T
Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencepyinstallerrattrojan

behavioral2

xwormdiscoveryexecutionpersistencepyinstallerrattrojan

© 2018-2025

Terms | Privacy