xworm | 29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9 | Triage

Submit
Reports

Overview

overview

Static

static

29e6ce9c6f...b9.exe

windows7-x64

29e6ce9c6f...b9.exe

windows10-2004-x64

Sharing

General

Target

29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9
Size

171KB
Sample

250124-1j6b7a1nej
MD5

3962793abf417f180767e5657f8be0b1
SHA1

15b7f2cd937a6f910d64ec3c9ed82c9c84165bb2
SHA256

29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9
SHA512

735d24410d0ffc30471b1095b81efef0ea5a3c4bff7ed694ddea8f2335b57d16371a192792a72499cdf4f1443ac4ae077aee9b47806e01bdfe218346f527f625
SSDEEP

3072:+0UcTmkb2YldqUOcs7Bz65/M6If+3Js+3JFkKeTno:sglbHOxBt25

Score

10^/10

xworm execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe

Resource

win7-20240729-en

xworm execution rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

warning-found.gl.at.ply.gg:29902

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7245901356:AAHYPFTv3LWcRGEqQpw-CbDblzq7UxWdbU8/sendMessage?chat_id=7538879815

Targets

- Target
  
  29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9
- Size
  
  171KB
- MD5
  
  3962793abf417f180767e5657f8be0b1
- SHA1
  
  15b7f2cd937a6f910d64ec3c9ed82c9c84165bb2
- SHA256
  
  29e6ce9c6fefbf33bc2dd3b46916280907c4fae8d8d8c15acd3436298e76d1b9
- SHA512
  
  735d24410d0ffc30471b1095b81efef0ea5a3c4bff7ed694ddea8f2335b57d16371a192792a72499cdf4f1443ac4ae077aee9b47806e01bdfe218346f527f625
- SSDEEP
  
  3072:+0UcTmkb2YldqUOcs7Bz65/M6If+3Js+3JFkKeTno:sglbHOxBt25
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy