xworm | 8216fb31e6a6eb3fe821086dd4d11648002c5be52dd239cd49ee0174b3e81eac | Triage

Sharing

General

Target

8216fb31e6a6eb3fe821086dd4d11648002c5be52dd239cd49ee0174b3e81eac
Size

51KB
Sample

250124-1mjmlazpbv
MD5

de65269116e2dd3b7928169549a6079a
SHA1

cbdffa57d6150c4813bba234d6175107bf08928e
SHA256

8216fb31e6a6eb3fe821086dd4d11648002c5be52dd239cd49ee0174b3e81eac
SHA512

f77b0d37eb9032f0e7e9cd5ecd8693fba2013af69fb10816c64b91f3d6555d506eae8a1e457ded320058a93ead2cae24ed4fa0714135fb8ec8e0e43cb030f7c7
SSDEEP

1536:57+oKOX7c1zY5xt3GWJSj/FN+gkzEMKVlJl2:53rmY5xtWcSTFNG+/L2

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:30540

take-continually.gl.at.ply.gg:30540

Attributes

Install_directory
%AppData%
install_file
WindowsDefender.exe

Targets

- Target
  
  Catlavan.exe
- Size
  
  74KB
- MD5
  
  cafec0e0f7eab47ab7cf90a1dd593f4f
- SHA1
  
  76c66c7232dac83c1ac2726ceff034591aa447cb
- SHA256
  
  05e568b534ae869db91152a0190d41a1bef9492bce1a06a46bc1fd76617dd0a5
- SHA512
  
  0b359db626ba17af3d10802927f2785f05e23f21079e2313c2ad32e5cef94c9e27ff0b810cee7d9a65fb66ae15462c18860570a62a8fdd12529d57043d08d498
- SSDEEP
  
  1536:zNx7MEFOzuMuQmN3+bTtdTEhakV0r6L5yhbsGOBR8X7Xwci:YaOqMuQg+bTjEV0YyljOBOXEci
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan