xworm | 3af55470fb8f6549631c51af8fb360e144b3a2213328251fb5c893afefd39b2a | Triage

Submit
Reports

Overview

overview

Static

static

1

EspooferFixed.bat

windows10-ltsc 2021-x64

Sharing

General

Target

EspooferFixed.bat
Size

265KB
Sample

250124-sdsj5svrgk
MD5

b305aa4a553e75efdef58b62ab9a1363
SHA1

14b80df7c7cd154275564d8678a99e99096bcbe4
SHA256

3af55470fb8f6549631c51af8fb360e144b3a2213328251fb5c893afefd39b2a
SHA512

ba37b738e73e85d8b4d5ec186c2469d533b94692f00ad07931287fed3bf3c7c9b17ed52f6e9289eb846ebfad25009d6ff1486880d91c45b63be96f276b45ba8f
SSDEEP

6144:qo5yDFBOGJBGmR9BJTGPbL5aFPB9Wxo8W2823a8kyXQ5iDoaPz73HyXMft6E:HgFt7hR9BJSPP5yBUxosXQ5koab73Hy2

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

EspooferFixed.bat

Resource

win10ltsc2021-20250113-en

xworm execution rat trojan

windows10-ltsc 2021-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

GgTsuAV3pXf6aU6z

aes.plain

Targets

- Target
  
  EspooferFixed.bat
- Size
  
  265KB
- MD5
  
  b305aa4a553e75efdef58b62ab9a1363
- SHA1
  
  14b80df7c7cd154275564d8678a99e99096bcbe4
- SHA256
  
  3af55470fb8f6549631c51af8fb360e144b3a2213328251fb5c893afefd39b2a
- SHA512
  
  ba37b738e73e85d8b4d5ec186c2469d533b94692f00ad07931287fed3bf3c7c9b17ed52f6e9289eb846ebfad25009d6ff1486880d91c45b63be96f276b45ba8f
- SSDEEP
  
  6144:qo5yDFBOGJBGmR9BJTGPbL5aFPB9Wxo8W2823a8kyXQ5iDoaPz73HyXMft6E:HgFt7hR9BJSPP5yBUxosXQ5koab73Hy2
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy