xworm | ff82ba209528783a4321e1281c0db4e06718f6d1985cb8d93536a02b60c8379c | Triage

Sharing

General

Target

8ea5d82e846f1b78fd4f7a1be3008ed4.zip
Size

21KB
Sample

250124-apfqlszqcy
MD5

8ea5d82e846f1b78fd4f7a1be3008ed4
SHA1

c665d5c95ea97dd48cbbd2cc8c15598333d6cb3e
SHA256

ff82ba209528783a4321e1281c0db4e06718f6d1985cb8d93536a02b60c8379c
SHA512

6d96591becb14d0d16bb142f1c4e301b598fac07f4ea4774babbddf7779b2ebe2c405d25c64765e92167ef284bfa54d5a04e8c819bb0017b1fa5104da1e94f30
SSDEEP

384:CE7nZ3mWZ8NbzO4TgH24Ewb5IReDUVhiMXQw4HV+E9sqcyf+yAsa7Jluhz+e6:H7Z2WZeiFH24Ewb2ReYbpXdcV+w6yfTc

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

exe.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

Extracted

Family

xworm

Version

5.0

C2

87.120.116.179:1300

Mutex

D9SUsC7nLI4t2dR8

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  CENDO RAMA JUDICIAL - Oficio 392 - OFICIO Y DETALLE DE ACTUACIÓN JUDICIAL.js
- Size
  
  73KB
- MD5
  
  ececcb43f7f2e1f294047fee6512849b
- SHA1
  
  ab25ccd9dc155e90b1828ac77b4deacfff2bd98d
- SHA256
  
  b03d8e95d48272334f35836a28a163f153eb3b00e97ce0466a3dce8202527f23
- SHA512
  
  fb2cd31e8f258fcadef22ff71686e1f8417d157b9bd56f0e2ac0493e92b8d0be5a1435977a7dfbe1dd14ac145ac41e1f73d893515fea823f02a51387a0815f4d
- SSDEEP
  
  1536:4l4izQ6VsYX/f53KKxAlFlwWJOKumLcAJ152k6:41zQ6Vj/BKpW
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan