xworm | 7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3 | Triage

Submit
Reports

Overview

overview

Static

static

7d6ff01e6a...3N.exe

windows7-x64

7d6ff01e6a...3N.exe

windows10-2004-x64

Sharing

General

Target

7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3N.exe
Size

62KB
Sample

250122-pqc4faxlfn
MD5

27073262c053ce8de5d3ca9cd80b04c0
SHA1

f4958421fb58916bba8f78c914934eacbc4685f2
SHA256

7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3
SHA512

53ebd126fc6a47bd3f73ddbc63f0963a3937348f7a1564af1d61d17536cef5a9c1618f38f73f501ccbbad80eeb83d569dadae266430ee69adfe9587a9359741b
SSDEEP

768:9cSO/q11X3zEBAd+sSphlECCuyyzdXMgr9tLWbspkpNUfcTjYmQ6g8KOHhH9+0nu:Sj6GsSQyZMe9tSbspkYeK68OH22u

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3N.exe

Resource

win7-20240903-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

120 seconds

Behavioral task

behavioral2

Sample

7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3N.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

120 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:55303

NareReti-22747.portmap.host:55303

NareReti-55303.portmap.host:55303

Attributes

Install_directory
%ProgramData%
install_file
Updater.exe
telegram
https://api.telegram.org/bot6840191997:AAGAMBGwNzL_wSKuYrOBbKDIGphrx-yRlhI

Targets

- Target
  
  7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3N.exe
- Size
  
  62KB
- MD5
  
  27073262c053ce8de5d3ca9cd80b04c0
- SHA1
  
  f4958421fb58916bba8f78c914934eacbc4685f2
- SHA256
  
  7d6ff01e6a8805bcc7678aabd3c71ba8493bc0e93cfa05c3c4a9621d481b26a3
- SHA512
  
  53ebd126fc6a47bd3f73ddbc63f0963a3937348f7a1564af1d61d17536cef5a9c1618f38f73f501ccbbad80eeb83d569dadae266430ee69adfe9587a9359741b
- SSDEEP
  
  768:9cSO/q11X3zEBAd+sSphlECCuyyzdXMgr9tLWbspkpNUfcTjYmQ6g8KOHhH9+0nu:Sj6GsSQyZMe9tSbspkYeK68OH22u
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy