xworm | cc39249ab312be84a7b41a2ec9670abe3bc99e2e4268d3687325177dbd8ac1b1 | Triage

Sharing

General

Target

disconnect-cat.exe
Size

232KB
Sample

250124-v5brta1lhj
MD5

6f3181b822774b93d128e14fbdb3d21b
SHA1

f3a02eae8ea55911e2b748110df39d772fcf7614
SHA256

cc39249ab312be84a7b41a2ec9670abe3bc99e2e4268d3687325177dbd8ac1b1
SHA512

83d203d1368c9228f700388051f6897aa8d92f24efa9945189c0f3853c36f9d4d2bf2500ce6cd864e23ce7a3dcc021badf8379eeb7e95061e3da60135cfd555f
SSDEEP

1536:3rZP19q04l8xn7QYM1bKw+/qEuCV5b7Gkmu01R5qOjiCz9mDdquc:VMl8xnS1bKjpPPqn/5qOjic99L

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/MdNNLDrU:1

Attributes

Install_directory
%Userprofile%
install_file
msconfig.exe
pastebin_url
https://pastebin.com/raw/MdNNLDrU

Targets

- Target
  
  disconnect-cat.exe
- Size
  
  232KB
- MD5
  
  6f3181b822774b93d128e14fbdb3d21b
- SHA1
  
  f3a02eae8ea55911e2b748110df39d772fcf7614
- SHA256
  
  cc39249ab312be84a7b41a2ec9670abe3bc99e2e4268d3687325177dbd8ac1b1
- SHA512
  
  83d203d1368c9228f700388051f6897aa8d92f24efa9945189c0f3853c36f9d4d2bf2500ce6cd864e23ce7a3dcc021badf8379eeb7e95061e3da60135cfd555f
- SSDEEP
  
  1536:3rZP19q04l8xn7QYM1bKw+/qEuCV5b7Gkmu01R5qOjiCz9mDdquc:VMl8xnS1bKjpPPqn/5qOjic99L
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan