xworm | 20ba1d60db4e5d51a698d7ab07e8a5dd75cd6aaae792c76dda315d757b9dfdde | Triage

Submit
Reports

Overview

overview

Static

static

Gorilla tag.exe

windows7-x64

Gorilla tag.exe

windows10-2004-x64

Sharing

General

Target

Gorilla tag.exe
Size

429KB
Sample

250121-r3w37ayrck
MD5

a47502d0bdaa67d14c762565ee7864d6
SHA1

afed9a6ac84e97bbd2dc2593ff6204716e696695
SHA256

20ba1d60db4e5d51a698d7ab07e8a5dd75cd6aaae792c76dda315d757b9dfdde
SHA512

dae6c201c878da5438a58bc6258cb7287ddfbf002c01c0a13deb4039a4fe5e8a85be04c57367f56de4ac26ae0a3fb0d166b27e06de354bf3b2efd38af5c636e9
SSDEEP

6144:BkGb8qJ+GIIIIIIIhIIIIIIIIIIIIIIIUz9bfF/H9d9n:BRC9

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Gorilla tag.exe

Resource

win7-20241010-en

xworm persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Gorilla tag.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

est-review.gl.at.ply.gg:21148

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  Gorilla tag.exe
- Size
  
  429KB
- MD5
  
  a47502d0bdaa67d14c762565ee7864d6
- SHA1
  
  afed9a6ac84e97bbd2dc2593ff6204716e696695
- SHA256
  
  20ba1d60db4e5d51a698d7ab07e8a5dd75cd6aaae792c76dda315d757b9dfdde
- SHA512
  
  dae6c201c878da5438a58bc6258cb7287ddfbf002c01c0a13deb4039a4fe5e8a85be04c57367f56de4ac26ae0a3fb0d166b27e06de354bf3b2efd38af5c636e9
- SSDEEP
  
  6144:BkGb8qJ+GIIIIIIIhIIIIIIIIIIIIIIIUz9bfF/H9d9n:BRC9
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy