xworm | 2a941fc746bc1d50f9d84a2936deb146c8501c350819a02fdddf92a7cb4ad275 | Triage

Submit
Reports

Overview

overview

Static

static

3

NeptuneRat V4.0.exe

windows10-2004-x64

Sharing

General

Target

NeptuneRat V4.0.exe
Size

291KB
Sample

250121-bm5sdsynfj
MD5

3c307836e2b7e74b428306fe1850361b
SHA1

b01e94d0d986e225b33d6764c78960a79323ac2f
SHA256

2a941fc746bc1d50f9d84a2936deb146c8501c350819a02fdddf92a7cb4ad275
SHA512

ca985e7d9b5660ab4beedd5bffc5e91f091a5e841ff53cb386b0af75765f56beac16f20819611ce0f72a81bb6d7ea08ae386efad2ad1c001cf7e96799f3ae2fc
SSDEEP

6144:vS25OwbrqZhMV3kYIklbHmiI8o2oPE7zz83/C8bZlcx:vXbrehMV3QWLYA7zz868bZ

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NeptuneRat V4.0.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.0

C2

should-reductions.gl.at.ply.gg:24817

Attributes

Install_directory
%AppData%
install_file
NoiseSup.exe

Targets

- Target
  
  NeptuneRat V4.0.exe
- Size
  
  291KB
- MD5
  
  3c307836e2b7e74b428306fe1850361b
- SHA1
  
  b01e94d0d986e225b33d6764c78960a79323ac2f
- SHA256
  
  2a941fc746bc1d50f9d84a2936deb146c8501c350819a02fdddf92a7cb4ad275
- SHA512
  
  ca985e7d9b5660ab4beedd5bffc5e91f091a5e841ff53cb386b0af75765f56beac16f20819611ce0f72a81bb6d7ea08ae386efad2ad1c001cf7e96799f3ae2fc
- SSDEEP
  
  6144:vS25OwbrqZhMV3kYIklbHmiI8o2oPE7zz83/C8bZlcx:vXbrehMV3QWLYA7zz868bZ
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy