xworm

General

Target

http://64.7.198.63/wtc.cmd
Sample

250119-n64qnawnbv

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.216.19.12:7000

Mutex

QHMc6qbZcmJeh5Wz

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7830414956:AAEyqRgiEQW-DV0wawv6-EaJ6kx7dVhrDyc

aes.plain

Targets

- Target
  
  http://64.7.198.63/wtc.cmd
Score

10^/10

xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1