xworm | 303c6ed3f758547c3332d02958c26bd257b25ff5ece45c92da69be6e670cafc8 | Triage

Sharing

General

Target

NEVERLOSECRACK (123).zip
Size

348KB
Sample

250121-ayn4caxlhn
MD5

3f8c6023cd1d96c50d8d121d05253134
SHA1

da5c30f7534bde5164a8b65063e7f866b806868a
SHA256

303c6ed3f758547c3332d02958c26bd257b25ff5ece45c92da69be6e670cafc8
SHA512

908e7ac77c366d17c5e77b820f94730a291dc5353dbcc0818228234d07b719fb5b97bb0e83d74bb61755b719edf2af9024f5d1a9d17a7e75d680e7df3723045a
SSDEEP

6144:Vg1mt8vbSSEgzDG3l8zNzouGjlddeT6fB5SkUDKaEOMLDC3RWRzBG10E:GuaStMDq0h6jl/86fBXUDPE5LmRcBi0E

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

userxmorma-27072.portmap.host:27072

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Targets

- Target
  
  NEVERLOSECRACK/NeverLooseCrack.exe
- Size
  
  76KB
- MD5
  
  331b5c6dda37833f554e5e6c9d44e3f1
- SHA1
  
  fffef041a29de6e8074892d5ffdcc9fca9baf297
- SHA256
  
  cd9f53b64227c1bd9aac338ca4c2f52f62dfe709b5daa1ec2356ea423f7abcae
- SHA512
  
  5b1a5c7890d254c67daabbcc470bd816520f65fdaa11bf1f49756ca236685005cdb0c22454842f3610f80c0e1d566632be0a75bff8c54bb301524332bcfc136c
- SSDEEP
  
  1536:LuEnJn49wJcmzpafAuQRmYr+bSeRCNWXnn64TTEOm9i2W4YL:yEd0ucfAvwYr+btCwXFYOT2W7L
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan