xworm | fdd819a27bd822ff4de89f41b1ca0b81123097f11bcbca0d3a12eece56f037a6 | Triage

Submit
Reports

Overview

overview

Static

static

SolaraSetup.exe

windows11-21h2-x64

Sharing

General

Target

SolaraSetup.rar
Size

63KB
Sample

250121-b8es4aznhy
MD5

cac8c41c873f56d71cb62e0e3a6f3873
SHA1

3bf88d45d4e9f330448c06bb415b29305fe9675b
SHA256

fdd819a27bd822ff4de89f41b1ca0b81123097f11bcbca0d3a12eece56f037a6
SHA512

14f3000f18b21e9d11e4930a5190f7541bd2628237c7e595d3553c02d08899ee165eef56d52da590d614d9f09fe25d9208eca1ce4ff621ec7e72f62f40199adb
SSDEEP

1536:s3CNnpb8n6wLy5SOmQwiLcoWLsfwyrsfMxNkH+:scnA+GiLcoWM5aoNkH+

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SolaraSetup.exe

Resource

win11-20241007-en

xworm execution persistence rat trojan

windows11-21h2-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:24468

friendly-nest.gl.at.ply.gg:24468

Attributes

Install_directory
%Temp%
install_file
Windows Session Start-Up.exe

Targets

- Target
  
  SolaraSetup.exe
- Size
  
  138KB
- MD5
  
  de82040516bdddfa1ae7cd25ff1d8821
- SHA1
  
  510e369380576be42c34602f011ebe1ca7857d96
- SHA256
  
  996b01d648030939599a70593631cca8ef57ee681e0bac831282bff157a52e9f
- SHA512
  
  a6bcca6ddc6d312c339537f2593eeb2ded6a4444e648a58d61d7c24724bc2ec097054fdb4101c306d1af191832755b9f2bbbc01df24da74a5a12042d9f6c5e86
- SSDEEP
  
  3072:bhVm3OgDkb4inC11jOLJMle68EiJHuFOve:tVBgDkbnC1pe682O
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy