xworm

Sharing

Copy URL

Twitter E-mail

General

Target

SamsungCommisonforgbz.rar
Size

98KB
Sample

250122-rzfl2asjel
MD5

9330d37c4bcf02a000ffe70aa5720230
SHA1

a8994e89130edf420de677ff38e075a40ad28d3a
SHA256

3c2bfb840a89298362078051b0b0090acb291298cfa3189572ecdc954baaed0f
SHA512

0eb4079be6b705e47d342765bb96f96ca8cd916e86502fe321327c29144e9e0ffea9603723861536b02db137dbf3cb9a4bab56567e362138405d79365489647a
SSDEEP

3072:uSJOBvUkaczRfb6iTYW5jdFtfSqCpv3S/1i:uaOVPJPT3fSqChSNi

Score

10^/10

Malware Config

Extracted

Family

xworm

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  real shit/Accessibility.dll
- Size
  
  19KB
- MD5
  
  c46e0413edba49fcb022f2059b8328c7
- SHA1
  
  c244c02b1eadb71dd7e389de16273e660dd1beed
- SHA256
  
  759cc60cd64286916cb932a89317ee8697232014a4373b8f10bd4f756cccea45
- SHA512
  
  20010408973909dc4cf1a0ac74cfe370f89178117d5ea256634f9fe6074883bf9997aeccf61b8da2bc10668e98decfa2d1e335bc9d9b2790b17ef06a27989a18
- SSDEEP
  
  384:UWI/W82MkSiVKmE+FNZgOcHi8jdHRN7CGlGseoR:2NEEfOcHfRs0
Score

3^/10

discovery
behavioral1
- Target
  
  real shit/SamsungCommisionExternal.exe
- Size
  
  63KB
- MD5
  
  6f30a565049364df3068b5bc88fd36d6
- SHA1
  
  2ca485eb96156bfc561acd69649cf3339da6c610
- SHA256
  
  e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d
- SHA512
  
  c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe
- SSDEEP
  
  1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  real shit/api-ms-win-core-heap-l1-1-0.dll
- Size
  
  11KB
- MD5
  
  6578096f353a0390bb5012cab7c575e6
- SHA1
  
  9d4d9b988b28a79e59edc24ddad1ea33718821c3
- SHA256
  
  4fce17577c2eab622835267bb5e355442221de85a0e481b4eef284a2eb0fdb04
- SHA512
  
  6b95e1d61f85625ca91d03cbb1fea1eeabeb0e6eca1590352ac3b072b5cd42756765c2cfec73a7ef7555c9239e141eb7c76b2eaacd4314bb8b4dfcf42e514514
- SSDEEP
  
  192:vcl6WphW8WSawTyihVWQ4eWImCt+6ArNc4qnajr7vg:kl6WphWFwGy5V4lrv
Score

3^/10

discovery
behavioral3
- Target
  
  real shit/api-ms-win-core-interlocked-l1-1-0.dll
- Size
  
  11KB
- MD5
  
  54864a516d26061e225ebf656eaa5655
- SHA1
  
  1a2cab704a4a56da8424ef114d977518f2dce65b
- SHA256
  
  e378bc303f7008a76a845736d5a6b0d56746e4904a9792fdb642cddd52028b4b
- SHA512
  
  d529c7064175cf77607c54f69084973774c473a21c55ecb6bc9e26404a6ba1f893087be91c7c3003cfc66b4bd8e73c8d40a6a203378e98dd72da23e175303ca1
- SSDEEP
  
  192:qXxDYsFYWphW3aWSawTyihVWQ4eWrBC5uE7Mqnajcf:qXxDYsFYWphWXwGymeuOMlA
Score

3^/10

discovery
behavioral4
- Target
  
  real shit/api-ms-win-core-libraryloader-l1-1-0.dll
- Size
  
  11KB
- MD5
  
  2791e9e5fb104a377c5c4c16b27f2612
- SHA1
  
  0d514d0d2efaf0c14a18d32d5623f0becec184ee
- SHA256
  
  018c64386a62c9759da743b29079b9fe205db71385c758d42e5065a58b7b8c14
- SHA512
  
  6a7d6dcebf7ccaf27f8aa60b27a755a80b72913e078a53b9c2d69622be130221e1ba81348951c3ff5e3e024acb03e93481df4571ec65b2a5675c60962e37370f
- SSDEEP
  
  192:JSvuBL3B5LgWphWMWSawTyihVWQ4eWBg2Pi43pPqs7IwdY+kqnajHaqxgm+2:UvuBL3BSWphW1wGy2fPbzIwS+klTx
Score

3^/10

discovery
behavioral5
- Target
  
  real shit/api-ms-win-core-localization-l1-2-0.dll
- Size
  
  13KB
- MD5
  
  ca9350d978ec4e395d8d76b54da8b7a3
- SHA1
  
  fccfdbbc86303e2f84f5a882fc6337de72252444
- SHA256
  
  8e022faf3a8f7df42fb5c955b78a1416c455b819b4708cfc3bd619c914c1d5a7
- SHA512
  
  827a6e9773e698cc69b415c2d4fafc0ffc514a0636e05be68f3d06acfb97daacdcf35e34a9e5463d684c1a40fa330126843322ec5e6dbd65bdfe26ab21b684e4
- SSDEEP
  
  384:+HOMw3zdp3bwjGfue9/0jCRrndb9WphWwwGyg4lrv:QOMwBprwjGfue9/0jCRrndb4X
Score

3^/10

discovery
behavioral6
- Target
  
  real shit/api-ms-win-core-memory-l1-1-0.dll
- Size
  
  11KB
- MD5
  
  9846995dd9919b1e376036e06953fa74
- SHA1
  
  dd96f69d9a22a1f6d8dd5d7272ae4c33b0c08b0d
- SHA256
  
  e7c72a3db22143283d7b4d9ed66fb98a37fa9de06ea1296b076941d22c2120f1
- SHA512
  
  0f3774690f2b796fb96f7a6af4dca5046ffb0a6169c909b450be66f0ea38bce6aa8eda6af29d873c5a239975032ba5b89e050d84bac3e08a7e327759e6550020
- SSDEEP
  
  192:VDKhWphW6WSawTyihVWQ4eW6Bam06ArNc4qnajr7vLOs:0hWphWnwGyVV4lrvi
Score

3^/10

discovery
behavioral7
- Target
  
  real shit/api-ms-win-core-namedpipe-l1-1-0.dll
- Size
  
  10KB
- MD5
  
  d8661447deb6a1f46d5e220fc75bbae8
- SHA1
  
  554bef2243f0e4d2802723d43af056c6fe3b1d35
- SHA256
  
  3dfc2a67b380b0d1ef0a206c6b2880fb975267d206773a2e0cf98bed206727e8
- SHA512
  
  d5cc94a459b951b2d32df163078b7e026a35e9332f01e9662e1100206bbe15c352e32736678e1eb88b9d3a60fafe3c8c0dcf5ab385dd6a2be99b7466768a937e
- SSDEEP
  
  192:iWphWEWSawTyihVWQ4eWYBc5M8xOSqnaj3yfU:iWphWdwGyZNCTlufU
Score

3^/10

discovery
behavioral8
- Target
  
  real shit/api-ms-win-core-processenvironment-l1-1-0.dll
- Size
  
  12KB
- MD5
  
  589914e52bed4161fd4b288b2c07de94
- SHA1
  
  e8775b997fbf7e2c39ac881a217f57744b41b6bb
- SHA256
  
  67f146e4508967d30df406fb18d4d771217b6d3585659a5c9aa2499cdad01500
- SHA512
  
  7b4b815a1a1b13a7a12c6283d0739c31ea93abf70a23aeda480b2884416926ad910b05e477ad2ba63683540348d16bc3df50d598c32146d55e5b1e9a17ddbd79
- SSDEEP
  
  192:AZ7WphWD0WSawTyihVWQ4SW64q1usUDR0qnajVXj9GOC:AZ7WphW5wGyKq1uQlxzbC
Score

3^/10

discovery
behavioral9
- Target
  
  real shit/api-ms-win-core-processthreads-l1-1-0.dll
- Size
  
  13KB
- MD5
  
  1641a8027af5a754dd164d6044917014
- SHA1
  
  5577d0be9d5d3874448e9f2c77286870c05f6d1d
- SHA256
  
  f8c0711a512059c648e83bef2f5b23119a454f457496e1dfead71d6942298863
- SHA512
  
  dded04a5211fe7762952afe39d51fa3540c0d7025c19468d2b5218f58bdd88043977f9eff99aa33decb6599bb3a4dd2a326cf9fc4fd7f6c4f3d38ef18e77d339
- SSDEEP
  
  384:1Hk1JzBcKcIpWphW8wGyaGECifl/zdbQD:1+cKc1/tzO
Score

3^/10

discovery
behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10