xworm

General

Target

Nerest soft.rar
Size

10.7MB
Sample

250119-t3bhlawlev
MD5

36a311bd68a15d33cf34f2d5a379f575
SHA1

436e425d3a8c52871da0bead8a0935a5c82bb160
SHA256

995b076987f2c8c9217c04b52f4a618dd317d5d5415b3898ba107d12a8e9522d
SHA512

e683aff0d6c77ba47de449f04062c41ad7e30b00768c6d8508f584ead812edd2d0ae4e9d938b8532898ff8f9902676b1163bd387546db6435fb5d19c072a0e08
SSDEEP

196608:x8dOjq6AUN3CFaLgkag0igtXbShm+PH/b1D7Xo0YwYpfn+aA7aPUP/e428iXdC:WT1UN3FLth03Xuhm+PTVN1Yd+b7aPWsk

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

back-spots.gl.at.ply.gg:21395

Attributes

Install_directory
%Temp%
install_file
USB.exe

Targets

- Target
  
  Nerest sofr/!LOADER.exe
- Size
  
  125KB
- MD5
  
  0324d4d7ff2026809d8c3f4bd0f3573e
- SHA1
  
  73f39a2778bbaa29246a75a7274b8bc7836bd329
- SHA256
  
  e14dbac690979b4fa9b2fee4a8221bfdcb03500458d3f9c8912fa1e0e4674492
- SHA512
  
  0209d6abb503a2698ee3bb8393da8b7622c3f6318f7aff8173a2406abc31d5d422002ab47113a85e2b7dc292d6735c23fd083aa1c1de4dd275a6e0f28e091f6b
- SSDEEP
  
  3072:3uZ+4zKUSfFzqbaQgKA64kCOd4pUzaewwQU4OHRemSL:3gKJFzqb3A64kK+zBuU4OIm
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  Nerest sofr/bin/!LOADER.exe
- Size
  
  6.9MB
- MD5
  
  de24df122fbc3293087f4939c6fb8b16
- SHA1
  
  a061e90c61d9ca357d0f4592bd0768432338fa94
- SHA256
  
  ccccf05053891883f6268a31390b3a731fa6b787b16e2c0dd429a31e5878acb0
- SHA512
  
  ac27ee610c535d3f5eaf6c03ffc7dd59d30f96bb81e029258f507cffdb243db87533ca10b79846810e624223ac6cd5515c10832f1e907fd37edd4ef6365eb503
- SSDEEP
  
  196608:GKah1rbvnKfTMLXla7cJz/FUtUK+hLFV/Ap:GKa7r+fTMLXla7cJTM7+h4p
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  Nerest sofr/bin/adb.exe
- Size
  
  5.6MB
- MD5
  
  f1f479bba21298e758fc22d8d98f8e48
- SHA1
  
  2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca
- SHA256
  
  705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183
- SHA512
  
  3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f
- SSDEEP
  
  49152:p1bbBWmqcEr5DV0uLC5sakvVgieBn5BzPZjdZYvM+ojzJLF+vW6Daa55pXxNh9Vm:hgV5mkvt6NzZYU+iWz5iXGTailRRQd
Score

3^/10

discovery
behavioral3