xworm

General

Target

motionsfree.zip
Size

87KB
Sample

250119-jzjppa1jaz
MD5

5b14a4da4e4c853014beaedf542c2bba
SHA1

0ddf25db4fc9a3691ddcaf9305388a01aa9f16bb
SHA256

b24f9cda29a7b8918ee0dbcb77b1d11520d9dc04da1fe652365a9d6fabf818fa
SHA512

c1a4ea8ea3c1c236351c60abc8c367b223913484efb1501c1f72284e90fc4d2f09a4df4f6fddfeb987c7795412e1b4563535a7fd5ed9affcb2dbf2f39882920b
SSDEEP

1536:nmismr70Yg7a7OnphoQO6z9D+p1mismr70Yg7a7OnphoQO6z9D+pD:miV67aynph26z9niV67aynph26z9u

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

levels-lcd.gl.at.ply.gg:43683

Attributes

install_file
USB.exe

Targets

- Target
  
  motionsfree/FIX.exe
- Size
  
  72KB
- MD5
  
  2e29bad58db43ee1ad1d04cf20264ee6
- SHA1
  
  5efb45dcae46ec90af78a14aa42f43ee8821ed87
- SHA256
  
  d7d2ed1f5d39a5aab17d231ee0766b245ae4c2ff5a22fdd9ac66e690958b17e3
- SHA512
  
  b80b15b614a269df7ee428f35fa614fa588d5efe520f35e10b0039074a5d5368ef20a6155df4c531782f49fc1dd0ebd9daae302e59cfec36c9816d8c91da450d
- SSDEEP
  
  1536:9zbQ+8n8qytjvF7u06Do3z4cXoD+bFBAFSgEi85phiS6r4pOO426F:9vQ+88qyVF7u0Goj4cYD+bFqA18O4d
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  motionsfree/motionscheats.exe
- Size
  
  72KB
- MD5
  
  2e29bad58db43ee1ad1d04cf20264ee6
- SHA1
  
  5efb45dcae46ec90af78a14aa42f43ee8821ed87
- SHA256
  
  d7d2ed1f5d39a5aab17d231ee0766b245ae4c2ff5a22fdd9ac66e690958b17e3
- SHA512
  
  b80b15b614a269df7ee428f35fa614fa588d5efe520f35e10b0039074a5d5368ef20a6155df4c531782f49fc1dd0ebd9daae302e59cfec36c9816d8c91da450d
- SSDEEP
  
  1536:9zbQ+8n8qytjvF7u06Do3z4cXoD+bFBAFSgEi85phiS6r4pOO426F:9vQ+88qyVF7u0Goj4cYD+bFqA18O4d
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4