xworm | 5b940549458cab6ad926cd6870a66a805ef4317a29642f027fcf9a68a4b722eb | Triage

Resubmissions

22-01-2025 16:06

250122-tkatcavpfl 10

22-01-2025 12:23

250122-pkfx5swlgx 10

Sharing

General

Target

19d2287f1326130ae66d87f5e6c1a500.zip
Size

38KB
Sample

250122-pkfx5swlgx
MD5

19d2287f1326130ae66d87f5e6c1a500
SHA1

eee8fba423dea24db8ae64b4cb9d6ff096224253
SHA256

5b940549458cab6ad926cd6870a66a805ef4317a29642f027fcf9a68a4b722eb
SHA512

7606b4daa5b3c4a788e831f252495082225918f1ed038f32e5b6cc35299c0bba75677de233b753b4a41fcd93ae2f37bbbdace2fddcfe8f7a223fa0684c992274
SSDEEP

768:ob7EalqvGH9gL18c+V0WUUVJwaoziFemfLxk9y+c4vYzbCv:oRlaGH+5t+VkaoSf+xUbg

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Extracted

Family

xworm

Version

5.0

C2

87.120.116.179:1300

Mutex

bCXBALbPlXwHNISd

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  PORTAFOLIO DE TRANSACCIÓN REALIZADA A TERCEROS.js
- Size
  
  164KB
- MD5
  
  730bef083fbd8b608106a9c34c98cdc1
- SHA1
  
  4c8d3440733b2975d1c9a823df735cd11a3351a7
- SHA256
  
  37c427cb456a7fadc42fdcca721a2e24c7f6a43892870b6683bf4bf83ba4f52c
- SHA512
  
  1a4638ccc02d2774377a114c99fa3bf1e2e6790ae6c4c3ef35dc4d7ee146e4201f51c765d49c2ee3ecff3cef7f79ccdd1937bf479c3380da9e6b8276384e477c
- SSDEEP
  
  1536:OWa831+p9/3zJ7WkAZexE7EnhqOWxK4YEYL734izQ6VzYfA75CKPd6BBPWa4pmGu:OWr31O9rtWKXVueEG7LzQ6VYAln2
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan