xworm

General

Target

aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340
Size

190KB
Sample

250124-wbn1qazmex
MD5

180735cd524d00759a5f261123a6c0d0
SHA1

cdb05596dd091c51525e573fb061ef15bfd9ae83
SHA256

aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340
SHA512

9fdd5fe3dd1a01f20e524138aa4b4d2daca206d666b4978a5bf73538d0810edee81b353decbdc5fa534870c68ff5d05e8bbe9f1fec8bf6ffff6125a1dc46cf5f
SSDEEP

3072:l/Wr3qjGBaMWrmS24qBZDhAxPWUMWkZoGv/rFVHvTQINontDme41OOjluUnd2bzD:l/ckr6HBZDONv1jmHHvHNonlm+OZBe

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

Mutex

tEPO2T8ayqFvBb4T

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340
- Size
  
  190KB
- MD5
  
  180735cd524d00759a5f261123a6c0d0
- SHA1
  
  cdb05596dd091c51525e573fb061ef15bfd9ae83
- SHA256
  
  aac2bb6ed014b4e73f263b69d11ccc37fa1b94cfccacbfacc564fcead1bc9340
- SHA512
  
  9fdd5fe3dd1a01f20e524138aa4b4d2daca206d666b4978a5bf73538d0810edee81b353decbdc5fa534870c68ff5d05e8bbe9f1fec8bf6ffff6125a1dc46cf5f
- SSDEEP
  
  3072:l/Wr3qjGBaMWrmS24qBZDhAxPWUMWkZoGv/rFVHvTQINontDme41OOjluUnd2bzD:l/ckr6HBZDONv1jmHHvHNonlm+OZBe
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2