xworm | 6d57e053872d4d66c1dca942a63251ac56810397f53ba2cb0117ffc312e39979 | Triage

Submit
Reports

Overview

overview

Static

static

3

7.exe

windows10-2004-x64

Sharing

General

Target

7.rar
Size

119KB
Sample

250124-vss6bsynh1
MD5

ec99d5e3c7b2201346dd109db3b9037b
SHA1

8fec0cffdcf7a3bb48ea3d918838d9cfa53b7978
SHA256

6d57e053872d4d66c1dca942a63251ac56810397f53ba2cb0117ffc312e39979
SHA512

162729966fa0c830639a1a91544043e22acca4afdf71072cb31530a53998666fcc781650195edf8a149d091ad774285bd5195ecf3690fc0d73315ffae9a7d62c
SSDEEP

3072:w7J44GyXatQ+fS/fkTNQN8pyEQf94Ky6pQqs8TQHs:4JRnk/KNuyEQCK2gss

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7.exe

Resource

win10v2004-20241007-it

xworm execution persistence rat trojan

windows10-2004-x64

21 signatures

900 seconds

Malware Config

Extracted

Family

xworm

C2

feb-arrested.gl.at.ply.gg:17830

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Targets

- Target
  
  7.exe
- Size
  
  302KB
- MD5
  
  ad169b56eca575c76b5c8662eaafe750
- SHA1
  
  8856d6a0532b62af6e6f8e1f6d86bb9433ea12d2
- SHA256
  
  b21970eb9efd571d0244356f6b6a96a612527e20b416747e8572c52d30ea5b57
- SHA512
  
  cb12c03c6f37e4853349f59470caf763c21dea36d189fb46a85178779df844f6e057080c5804b6441e3a7fbcc881bf60972a88d335a0db5d4fed0997bed5387b
- SSDEEP
  
  1536:AQPS0VyRe/kqne5mcDf2c+oH5FlZn2AniQuLvyQIs+oitUKw71nztWGlSBSdkxLZ:AZ0dcEhPorlFeVABf9vtrjxlDE4
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy