xworm | 577c05e3a4882a69fe2a06ac772ee8742bb54c9a098a34ccdcd00da7815adc30 | Triage

Sharing

General

Target

EzSpoofer.bat
Size

291KB
Sample

250124-rzgjbssray
MD5

9524fa679cf2b883fddf8dfe3f0c2c4f
SHA1

2b20ad331b377685226e8e40d5c7364d102f0735
SHA256

577c05e3a4882a69fe2a06ac772ee8742bb54c9a098a34ccdcd00da7815adc30
SHA512

a38743fe6c3bf55dab74b5c04f785345a420ed23c1513ce0901f1f78e28f277c8c49cad809c909a2bb0cb9e16d98ce88dd92a241e11f4ab4e128728077b3c42d
SSDEEP

6144:yUkjDHOfsQkBWTAaCi+oG7RZAkehxo4CzC1a5TAl2K9:yvPuE3BIQTEjPv5

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes

Install_directory
%ProgramData%

Targets

- Target
  
  EzSpoofer.bat
- Size
  
  291KB
- MD5
  
  9524fa679cf2b883fddf8dfe3f0c2c4f
- SHA1
  
  2b20ad331b377685226e8e40d5c7364d102f0735
- SHA256
  
  577c05e3a4882a69fe2a06ac772ee8742bb54c9a098a34ccdcd00da7815adc30
- SHA512
  
  a38743fe6c3bf55dab74b5c04f785345a420ed23c1513ce0901f1f78e28f277c8c49cad809c909a2bb0cb9e16d98ce88dd92a241e11f4ab4e128728077b3c42d
- SSDEEP
  
  6144:yUkjDHOfsQkBWTAaCi+oG7RZAkehxo4CzC1a5TAl2K9:yvPuE3BIQTEjPv5
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan