xworm | 2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0 | Triage

Submit
Reports

Overview

overview

Static

static

1

EzSpoofer.bat

windows7-x64

8

EzSpoofer.bat

windows10-2004-x64

Sharing

General

Target

EzSpoofer.bat
Size

262KB
Sample

250124-sb1sqstnby
MD5

1298934b3f4c37d349794f0686c6e7a8
SHA1

9a6848b79ba8aba796514526898b4c9217301bc0
SHA256

2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0
SHA512

ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374
SSDEEP

6144:lyFq/jSEnae2y5lSdU0NeUmerUzCO6jZFwkjAZ9:lyFqbSOaeUxeCOibw+AZ9

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

EzSpoofer.bat

Resource

win7-20240903-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

EzSpoofer.bat

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

RRwG35fodUbwRp96

aes.plain

Targets

- Target
  
  EzSpoofer.bat
- Size
  
  262KB
- MD5
  
  1298934b3f4c37d349794f0686c6e7a8
- SHA1
  
  9a6848b79ba8aba796514526898b4c9217301bc0
- SHA256
  
  2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0
- SHA512
  
  ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374
- SSDEEP
  
  6144:lyFq/jSEnae2y5lSdU0NeUmerUzCO6jZFwkjAZ9:lyFqbSOaeUxeCOibw+AZ9
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy