xworm | b51ff988152a1d96407941ee19298e7e4ce8035ce6dff054c3b439110dfb101d | Triage

Submit
Reports

Overview

overview

Static

static

3

SPOOFER.exe

windows7-x64

SPOOFER.exe

windows10-2004-x64

Resubmissions

23-01-2025 05:23

250123-f3h1satrgw 10

23-01-2025 05:23

250123-f3dfasvrgp 10

Sharing

General

Target

SPOOFER.exe
Size

100KB
Sample

250123-f3h1satrgw
MD5

16a83a02e42ff5cccf920ab083ae38b8
SHA1

882dce9a3edb6908d02605594018a23b729052b6
SHA256

b51ff988152a1d96407941ee19298e7e4ce8035ce6dff054c3b439110dfb101d
SHA512

4ebd72f8a79884a90a71ba587fb2a6609a0a76a8d58e6d1d574dc280b7be71f4771a5fcf32d4c4d248ce4e0b5cd87aac04731e4f815ef2927eab26812f26d940
SSDEEP

3072:JoJpXPp1M4lq34QZ48dvVfyFp23HjQID+0w:ux1Hs4YBdvVauhL

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SPOOFER.exe

Resource

win7-20241010-en

xworm discovery execution persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

SPOOFER.exe

Resource

win10v2004-20241007-en

xworm discovery execution persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

logo-kerry.gl.at.ply.gg:23249

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  SPOOFER.exe
- Size
  
  100KB
- MD5
  
  16a83a02e42ff5cccf920ab083ae38b8
- SHA1
  
  882dce9a3edb6908d02605594018a23b729052b6
- SHA256
  
  b51ff988152a1d96407941ee19298e7e4ce8035ce6dff054c3b439110dfb101d
- SHA512
  
  4ebd72f8a79884a90a71ba587fb2a6609a0a76a8d58e6d1d574dc280b7be71f4771a5fcf32d4c4d248ce4e0b5cd87aac04731e4f815ef2927eab26812f26d940
- SSDEEP
  
  3072:JoJpXPp1M4lq34QZ48dvVfyFp23HjQID+0w:ux1Hs4YBdvVauhL
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

behavioral2

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy