xworm | a9720210f921e58821c983337e8b8188b37695ded19ac4655eec223ee138638a | Triage

Sharing

General

Target

NerestPC (1234).7z
Size

131KB
Sample

250121-aqsrkaxjap
MD5

53f566b0ecc482f4bf2692d2960aea56
SHA1

344eb55397ec0f359f7ff9ff447f32c3588a790b
SHA256

a9720210f921e58821c983337e8b8188b37695ded19ac4655eec223ee138638a
SHA512

6d2d5173b2caea7fb278ed7e3e3333e24462c159d40b4b9ca52b548ae9a987873823e97044bd7b6b29fbca8a011b7eec9f8d3f6f48bd854abcc78e3d50487b63
SSDEEP

3072:2F/dRKlhRmQxWAm8VEK+evHkbreYSZ6fqYvCYzV9Z/+35Bm:2FVwDRmx8VtHk3XgYvjzkO

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

early-doll.gl.at.ply.gg:17002

purpose-terror.gl.at.ply.gg:19882

Attributes

Install_directory
%AppData%
install_file
java.exe

Targets

- Target
  
  NerestPC.exe
- Size
  
  5.0MB
- MD5
  
  36ce218e741638ecff00c9a8a4bafee4
- SHA1
  
  7a99e8d39c9fc5d6526a1230d68f08ce38007a8e
- SHA256
  
  0c94444657b966a20aabb6df5917cb801d5587a6d8948516f1c18254965047f8
- SHA512
  
  0aeff3cd96d3788d054e841f4335149c18337ac9e934ad8da90a27294d506aafc96c3527bc17baddc5d52ea4bef4a88308dd36859d40eda7d50bf2806ad2cb1d
- SSDEEP
  
  6144:F9A6JRlmHikG0dE74e1iAkfLPfglyunnoU8S+P2N3DrrFGP:MSKik2ke1iNglymC25DrrFG
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan