xworm | fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728 | Triage

Submit
Reports

Overview

overview

Static

static

fd9d1dfc1c...8N.exe

windows7-x64

fd9d1dfc1c...8N.exe

windows10-2004-x64

Sharing

General

Target

fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728N.exe
Size

52KB
Sample

250122-ae5xraylgl
MD5

57ce7a327782d47f5a95f5f73548d200
SHA1

1df4b4a4ed70605a7fede98f8c7e1b80042ef73e
SHA256

fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728
SHA512

1aaa25fc2a18ce8087c3c37bd9097d3e78910324f9992085690fed471f3a00bcd74b249f332bc7824361499e8dc27aa676421f4d82d0be04246703f3e2cae41e
SSDEEP

1536:cpHDSBc87/UWF70l/Crbi/OZu71Omwkn2OBCy:cYW8rHF70l/Ybi/HOt+fT

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728N.exe

Resource

win7-20241010-en

xworm persistence rat trojan

windows7-x64

12 signatures

120 seconds

Behavioral task

behavioral2

Sample

fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728N.exe

Resource

win10v2004-20241007-en

xworm persistence rat trojan

windows10-2004-x64

13 signatures

120 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8848

u-football.gl.at.ply.gg:8848

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728N.exe
- Size
  
  52KB
- MD5
  
  57ce7a327782d47f5a95f5f73548d200
- SHA1
  
  1df4b4a4ed70605a7fede98f8c7e1b80042ef73e
- SHA256
  
  fd9d1dfc1cf359603277712f179a5616503dd8ef4616149782873cf87fbff728
- SHA512
  
  1aaa25fc2a18ce8087c3c37bd9097d3e78910324f9992085690fed471f3a00bcd74b249f332bc7824361499e8dc27aa676421f4d82d0be04246703f3e2cae41e
- SSDEEP
  
  1536:cpHDSBc87/UWF70l/Crbi/OZu71Omwkn2OBCy:cYW8rHF70l/Ybi/HOt+fT
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy