xworm | e860a3c718b864a28f858b63b4418b45e93bd238fae19e8da8224c410e9eb772 | Triage

Sharing

General

Target

Internal.vmp.exe
Size

71KB
Sample

250120-lema7aspdp
MD5

58559a2f3b00bd938dd1f26a8fdf0e7c
SHA1

6a07c99804295019e52eb4b3fcac0560f8a9acf2
SHA256

e860a3c718b864a28f858b63b4418b45e93bd238fae19e8da8224c410e9eb772
SHA512

c9cd1129163c6146b4238d917b8b150c5498bc01ed2304f6c099702e7e333853f447162f5ca723db33a08b082861703379b829b7a099cc1e52444b56bfac0d19
SSDEEP

1536:3RE/PlVX7qHW83cPkCCSbBUFOXuUccI6kuq9QOmYlyy:3REVV0W8sPPCSbBUIXdOTMy

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:47599

147.185.221.23:47599

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  Internal.vmp.exe
- Size
  
  71KB
- MD5
  
  58559a2f3b00bd938dd1f26a8fdf0e7c
- SHA1
  
  6a07c99804295019e52eb4b3fcac0560f8a9acf2
- SHA256
  
  e860a3c718b864a28f858b63b4418b45e93bd238fae19e8da8224c410e9eb772
- SHA512
  
  c9cd1129163c6146b4238d917b8b150c5498bc01ed2304f6c099702e7e333853f447162f5ca723db33a08b082861703379b829b7a099cc1e52444b56bfac0d19
- SSDEEP
  
  1536:3RE/PlVX7qHW83cPkCCSbBUFOXuUccI6kuq9QOmYlyy:3REVV0W8sPPCSbBUIXdOTMy
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan