xworm | 876279d2efe790bf2e60a1d6bae02b08228a485d208151a5b1278e2fd11e2369 | Triage

Submit
Reports

Overview

overview

Static

static

1

EzSpoofer.bat

windows10-2004-x64

Sharing

General

Target

EzSpoofer.bat
Size

290KB
Sample

250123-w1n21szngr
MD5

cac585a686a51452504600d4fcf1f7b3
SHA1

cff487749ee57d6a6228622776392fa80d85041e
SHA256

876279d2efe790bf2e60a1d6bae02b08228a485d208151a5b1278e2fd11e2369
SHA512

0364f3e26c03ad92ac447aa446304dd7da7a46916ae62e70380529177416964b543da4df08e0e46221f57196513a062cc46eb80d02f2c52ea2c0cd7989e1aea9
SSDEEP

6144:ikknMyCyb4UpNDYSBObHBnWxp/3f8ZWftYQcuKPprtHnnWd:iOib449YFFnYf9xcbrNnq

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

EzSpoofer.bat

Resource

win10v2004-20241007-en

xworm discovery execution persistence rat trojan

windows10-2004-x64

26 signatures

900 seconds

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes

Install_directory
%ProgramData%

Targets

- Target
  
  EzSpoofer.bat
- Size
  
  290KB
- MD5
  
  cac585a686a51452504600d4fcf1f7b3
- SHA1
  
  cff487749ee57d6a6228622776392fa80d85041e
- SHA256
  
  876279d2efe790bf2e60a1d6bae02b08228a485d208151a5b1278e2fd11e2369
- SHA512
  
  0364f3e26c03ad92ac447aa446304dd7da7a46916ae62e70380529177416964b543da4df08e0e46221f57196513a062cc46eb80d02f2c52ea2c0cd7989e1aea9
- SSDEEP
  
  6144:ikknMyCyb4UpNDYSBObHBnWxp/3f8ZWftYQcuKPprtHnnWd:iOib449YFFnYf9xcbrNnq
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy