xworm | 3faea98d2cb190e31c5192537aa1819a783b0338ce3701aebd81c3f01cc7ee0e | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

NURSULTAN ALPHA.exe

windows10-2004-x64

Sharing

General

Target

NURSULTAN ALPHA (infected).zip
Size

31KB
Sample

250121-anv4xawres
MD5

9bcfb6bf03f4ca24555dd15f3fdd5d2e
SHA1

d19c1e9dba759a0fd8686b80f7c3e86ca5925ab4
SHA256

3faea98d2cb190e31c5192537aa1819a783b0338ce3701aebd81c3f01cc7ee0e
SHA512

c3516e08e425811d07d6e0c63460241fe170dfe7bf4655eaa4f8f2a331f88b4265b1b9b41681c6203648257c29267378b57a17d94b8b2cfe1cce848905e2ed72
SSDEEP

768:9skUPQ35RtfN89xz6Ro4MHF9uqmqfeUHmkvw:99jpRtfN8Trun0Hm3

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

NURSULTAN ALPHA.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

uk-satisfy.gl.at.ply.gg:19829

Attributes

Install_directory
%AppData%
install_file
dicrord.exe

Targets

- Target
  
  NURSULTAN ALPHA.exe
- Size
  
  57KB
- MD5
  
  64337e41e0d008c8fc8bd34ccac0498a
- SHA1
  
  e3581de7afd0f519a2093790bf539ace22a8175a
- SHA256
  
  f57436d88d68b9b039ece54db9ed69ba31b67c319bb80704a5add41bd647e345
- SHA512
  
  b721cd5c6d762aa3b81b4ebcda08bdc8ab5d67b89ec43a448f8f8c4254971349d87317692771e54060e6788274a2b385576d5ea0549ef4eb0696a1f667e27b61
- SSDEEP
  
  768:VVeyCaU93AiS/BWeUMzKDsbJrl5101UDDL5KAjyFOz2hgElVnA1K/:zeHN9iOMzRbJrl510WwdFOqPlgK/
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.