xworm | 1f3cd4dceeb34f2461fdd41d264624239463c7336572b270cec2b57a4ce7610e | Triage

Resubmissions

25-01-2025 21:43

250125-1kyzha1lhx 10

25-01-2025 21:30

250125-1cnhsssmhn 10

Sharing

General

Target

kZJh2zU8xf605cQ.exe
Size

1.0MB
Sample

250125-1kyzha1lhx
MD5

ef006cf204a8e12a2ea40abd4116fb61
SHA1

35b3038c748cc29bd0375e94536e1d0fc407e876
SHA256

1f3cd4dceeb34f2461fdd41d264624239463c7336572b270cec2b57a4ce7610e
SHA512

fd4d31b52171697616083f5309af8b7e1df43d596ebbb2cc579595dcf9bbd678cc7d53ea70c0c29d2c514c84c10130f0005129e1ffaa544940933f533d3b6266
SSDEEP

12288:D9TowR3+WnYndEx1MfkwbSUhsGWBK/rAcBUajgYQkYf0Tle5:xTowR3+WnYndEx1KkjGWBuzgYh4p5

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes

Install_directory
%ProgramData%

Targets

- Target
  
  kZJh2zU8xf605cQ.exe
- Size
  
  1.0MB
- MD5
  
  ef006cf204a8e12a2ea40abd4116fb61
- SHA1
  
  35b3038c748cc29bd0375e94536e1d0fc407e876
- SHA256
  
  1f3cd4dceeb34f2461fdd41d264624239463c7336572b270cec2b57a4ce7610e
- SHA512
  
  fd4d31b52171697616083f5309af8b7e1df43d596ebbb2cc579595dcf9bbd678cc7d53ea70c0c29d2c514c84c10130f0005129e1ffaa544940933f533d3b6266
- SSDEEP
  
  12288:D9TowR3+WnYndEx1MfkwbSUhsGWBK/rAcBUajgYQkYf0Tle5:xTowR3+WnYndEx1KkjGWBuzgYh4p5
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan