xworm | 05084a87d2dd351fb6a96d2cf873912d0c205e27300779c1f6e3aa61ad66c9d8 | Triage

Sharing

General

Target

VixenLoader.exe
Size

24KB
Sample

250123-2r7ewsxjhw
MD5

56508d7616007b172ca2606cefd7bdd6
SHA1

dd610f2bac2f687632135be864b2efb9f79aca07
SHA256

05084a87d2dd351fb6a96d2cf873912d0c205e27300779c1f6e3aa61ad66c9d8
SHA512

d5be1f3ce5f5d51b61561d09e8a22fe748ebacd55699e8ac98e206c4ef319b6a4fa3702987abc78d3856e897b8a5df1f72de3f53a8a05e94a11e382665b719a9
SSDEEP

384:efX3wDHuqrAFKNOPhXTgGS76xUBUv1+RKaM5EIAvuLNoo3QJ:xuqrAFKNOPhXTZ9qy9+RE5D4kb3Q

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Targets

- Target
  
  VixenLoader.exe
- Size
  
  24KB
- MD5
  
  56508d7616007b172ca2606cefd7bdd6
- SHA1
  
  dd610f2bac2f687632135be864b2efb9f79aca07
- SHA256
  
  05084a87d2dd351fb6a96d2cf873912d0c205e27300779c1f6e3aa61ad66c9d8
- SHA512
  
  d5be1f3ce5f5d51b61561d09e8a22fe748ebacd55699e8ac98e206c4ef319b6a4fa3702987abc78d3856e897b8a5df1f72de3f53a8a05e94a11e382665b719a9
- SSDEEP
  
  384:efX3wDHuqrAFKNOPhXTgGS76xUBUv1+RKaM5EIAvuLNoo3QJ:xuqrAFKNOPhXTZ9qy9+RE5D4kb3Q
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan