xworm | f88df84b84e4d27953a62adfa03325b45cde22a3d8254ec21ab4c77d51d6e3bb | Triage

Sharing

General

Target

E988635D9E1159BC4C77C3C9838CA0492422FES319582900779615.zip
Size

38KB
Sample

250123-xy1hpszmgy
MD5

7d4b947c5286aab18226e141a1d8beff
SHA1

8fbe113ead9d46e7932aab48202243bb1100e0a5
SHA256

f88df84b84e4d27953a62adfa03325b45cde22a3d8254ec21ab4c77d51d6e3bb
SHA512

b4d54088a94ca000c7a454f2f4d3c1513a76f21187af25b59028be6cc1cc973bc75b151fdfca7a4cb72e9d020e0d1997d7d65914ff3aac56b5b6154a79fa9fc0
SSDEEP

768:Duml3nRdVkZD4KDGJt2LV6lpQAl+5ESzJv6hAqKriKotBp8ECyUceD:z4FvuW0lho5cAhri5t/+yUceD

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/ducmwq0h0/image/upload/v1736949351/piwedbdcpnpjdclsccjt.jpg%20

exe.dropper

https://res.cloudinary.com/ducmwq0h0/image/upload/v1736949351/piwedbdcpnpjdclsccjt.jpg%20

Extracted

Family

xworm

Version

5.0

C2

85.31.47.24:1888

Mutex

tlRBNCeyJJLJkXVL

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  E988635D9E1159BC4C77C3C9838CA0492422FES319582900779615.js
- Size
  
  163KB
- MD5
  
  00a4ba139e436facb9861b2ac35024fb
- SHA1
  
  16396955fcb4bdf72d8f67fe37ed6c17a39bb9c2
- SHA256
  
  9ae6de36be82dd3f67dab2f0406030f65e72461702ae41e097d75925f4d468ec
- SHA512
  
  8ff47d5fe6381c07947e56e82e235fc0e2f75992b94f842e716b045259ce6488a2b513748884416c79b0f90e2fd014f7959747d1b3b9e1fd0a23d58396f6ef6f
- SSDEEP
  
  1536:xyyVPkspf9s3r8MHps2DxE7EhpdH54HeI7YUnt44KnayzQ6VSYMLR5vUVtOvivcM:kyJksp9YVHVRutCzQ6V6L7uHGi
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan