xworm | 68fb0d6a348b6962f02272a0f8018a83ab69576f09729bed1af975bb9b6544ea | Triage

Resubmissions

22-01-2025 13:19

250122-qkt1faypfj 10

18-01-2025 20:58

250118-zsgjratqhw 10

Sharing

General

Target

NetCompilerCShrp.exe
Size

1.5MB
Sample

250122-qkt1faypfj
MD5

c125697bdf4aae54fa53be4e772c6a49
SHA1

919afec0cb7a46024a221c0c02721eca753ccd80
SHA256

68fb0d6a348b6962f02272a0f8018a83ab69576f09729bed1af975bb9b6544ea
SHA512

6e8b95b8aeae30ae09ff4674bf8f173cde38d9f5fdd2cce73ca694d1e2599f24cb81870f862cb77c8e89a271e8d5aae03cc82a52663727fca70577d166602488
SSDEEP

24576:/MeoskJNFkm0deK3zuRCLg4j43tpikJ8eTgOFGR2QRR0dwY1gjHq3V4:RkJNFPorzuRCLgs+nggIRq47V

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

unable-39391.portmap.host:39391

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Targets

- Target
  
  NetCompilerCShrp.exe
- Size
  
  1.5MB
- MD5
  
  c125697bdf4aae54fa53be4e772c6a49
- SHA1
  
  919afec0cb7a46024a221c0c02721eca753ccd80
- SHA256
  
  68fb0d6a348b6962f02272a0f8018a83ab69576f09729bed1af975bb9b6544ea
- SHA512
  
  6e8b95b8aeae30ae09ff4674bf8f173cde38d9f5fdd2cce73ca694d1e2599f24cb81870f862cb77c8e89a271e8d5aae03cc82a52663727fca70577d166602488
- SSDEEP
  
  24576:/MeoskJNFkm0deK3zuRCLg4j43tpikJ8eTgOFGR2QRR0dwY1gjHq3V4:RkJNFPorzuRCLgs+nggIRq47V
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan