xworm | 08e348287c5287415442ccf3ce4ffef96d4a5d71f4d2de045e99f115db6c12b7 | Triage

Sharing

General

Target

c7xdsg43_1.exe._2.exe
Size

3.9MB
Sample

250124-esd4eaypbw
MD5

2e975b87f63c8dd384c803765d5d1c0b
SHA1

fdf785a15472093c6ff6228a4912076029eef54e
SHA256

08e348287c5287415442ccf3ce4ffef96d4a5d71f4d2de045e99f115db6c12b7
SHA512

dfdd0e57c54fea79a709958376bff681ca4f2c63e292d80e18b517ac9815ab585902cdd0831336ffd0c318b96955de948470900dbcb772c27a9da7d330d05697
SSDEEP

49152:QHgoyciELo8BJSstkpUbSkeQKyAWmDl8:

Score

10^/10

xworm defense_evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

vshostupdater.duckdns.org:34357

newport1179.duckdns.org:34357

windowsbre.duckdns.org:34357

Attributes

Install_directory
%AppData%
install_file
Windows Updater.exe

Targets

- Target
  
  c7xdsg43_1.exe._2.exe
- Size
  
  3.9MB
- MD5
  
  2e975b87f63c8dd384c803765d5d1c0b
- SHA1
  
  fdf785a15472093c6ff6228a4912076029eef54e
- SHA256
  
  08e348287c5287415442ccf3ce4ffef96d4a5d71f4d2de045e99f115db6c12b7
- SHA512
  
  dfdd0e57c54fea79a709958376bff681ca4f2c63e292d80e18b517ac9815ab585902cdd0831336ffd0c318b96955de948470900dbcb772c27a9da7d330d05697
- SSDEEP
  
  49152:QHgoyciELo8BJSstkpUbSkeQKyAWmDl8:
Score

10^/10

xworm defense_evasion persistence rat trojan
- Detect Xworm Payload
- Modifies security service
  defense_evasion
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionpersistencerattrojan