xworm | cbce0de5b44bc1d63ac50c7da954f63f20148fd56547ddc1257282238a608bc8 | Triage

Sharing

General

Target

$phantomClient.bat
Size

274KB
Sample

250123-ayke6atlbt
MD5

38f07463ec0e63e7a582c1bac3b2a5e8
SHA1

b7ef827021e088cb2ed7c2b2bf348da6f3d86d45
SHA256

cbce0de5b44bc1d63ac50c7da954f63f20148fd56547ddc1257282238a608bc8
SHA512

5ebca03ce18b8543f3e29c5cace28dd614891475dd4370cf18c243311d4a787d814ca6a424645fd61fa51faec3de91e9566eb5c4d1be7b91cc100454ee893ca5
SSDEEP

6144:4vbNSGoQZJ2gx4csj3NKoqHHFRWrHaQTnO:4DNSW2j1eYG

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

florida-guild.gl.at.ply.gg:7717

Mutex

5JpFVUe17SDvBwAb

Attributes

Install_directory
%Public%
install_file
USB.exe

aes.plain

Targets

- Target
  
  $phantomClient.bat
- Size
  
  274KB
- MD5
  
  38f07463ec0e63e7a582c1bac3b2a5e8
- SHA1
  
  b7ef827021e088cb2ed7c2b2bf348da6f3d86d45
- SHA256
  
  cbce0de5b44bc1d63ac50c7da954f63f20148fd56547ddc1257282238a608bc8
- SHA512
  
  5ebca03ce18b8543f3e29c5cace28dd614891475dd4370cf18c243311d4a787d814ca6a424645fd61fa51faec3de91e9566eb5c4d1be7b91cc100454ee893ca5
- SSDEEP
  
  6144:4vbNSGoQZJ2gx4csj3NKoqHHFRWrHaQTnO:4DNSW2j1eYG
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan