xworm | 68a22c99d75a30d9bd60980eb78315d505b250d8a7093e545ac5a7b1c39f67ae | Triage

Sharing

General

Target

Nerest Crack by ZevsHacker.rar
Size

35KB
Sample

250124-xlt56avjdq
MD5

c77336e5ee078ad00e41eac9ac2ef8be
SHA1

3c690525de752a64c9dcd7e0bd404a8bf7c7a6f6
SHA256

68a22c99d75a30d9bd60980eb78315d505b250d8a7093e545ac5a7b1c39f67ae
SHA512

94d7433095473021bb156196dc87b6ea829cdd8c25b1a9678325c4682e78c23fd6a80f3bd197e9b41576a3c7515d83ec7ed8f786b064a10cd164d1763ed2f946
SSDEEP

768:aISSklsDWiYv3FfhlUvWY2i3ugkE2Q13Aw3wI9rJzgAT:PSSSiYv3Fffw2i/nJsI9rJ7T

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

you-cigarette.gl.at.ply.gg:30434

Attributes

Install_directory
%Public%
install_file
XClient.exe

Targets

- Target
  
  Nerest/Nerest Crack.exe
- Size
  
  115KB
- MD5
  
  ae7e7ad5099597db8f14ee26fd5cee52
- SHA1
  
  53fe58268d74ca2c2caf5bce1449e488a546d30d
- SHA256
  
  8a441778a38026427e889a79b248fdffa17edf31da5fceff03de1a9611d0f629
- SHA512
  
  7d757ec1567cca840e282d72ad89996083f22b30d858a9617cc299dcaa1cdc290e20b30db3bfbbaa1c59510e87b74d180461ba25e76b626bd7405e45de6e08d8
- SSDEEP
  
  1536:QH3h0qpEK83YpNQSUEbRRfk7SZF6/Og4Zd:QXByK836rbRmS6Og47
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan