xworm | 7191ca1e3053e459c10aec9281eeb98a94f36fa0134085b2c2386741a6e18f6b | Triage

Submit
Reports

Overview

overview

Static

static

3

BlitzedGrabberV12.exe

windows7-x64

BlitzedGrabberV12.exe

windows10-2004-x64

9

Sharing

General

Target

BlitzedV12.rar
Size

6.1MB
Sample

250125-l5jmzsxrdx
MD5

8e314e20dbcf8a39f70530acd4c310a0
SHA1

4b3a0fb8c6a5af4d209bd191e9132f76d07586df
SHA256

7191ca1e3053e459c10aec9281eeb98a94f36fa0134085b2c2386741a6e18f6b
SHA512

4f1aadad72c154bc6c3747992d197b3da21aec0308298c9442bc8542aa374c0d15dc37641d549496d2c5f8b315951d475764e57b46ce74b2fac6607f73e76786
SSDEEP

196608:BgSNHp3IT47kDX6bH8ZQMMdVx4lBqrk9zhu/EG:BPVdhQDX6bH8ZQMuHsBLc/N

Score

10^/10

xworm defense_evasion discovery persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BlitzedGrabberV12.exe

Resource

win7-20240903-en

xworm defense_evasion discovery persistence rat themida trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

BlitzedGrabberV12.exe

Resource

win10v2004-20241007-en

defense_evasion discovery persistence themida trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

stores-anytime.at.ply.gg:36673

Mutex

S2a8VYouw8L5LAad

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  BlitzedGrabberV12.exe
- Size
  
  4.7MB
- MD5
  
  f1417759e105ff9909ed454ad5db48a0
- SHA1
  
  d8ff4cfa49616988882f1d4e6318db869acd75ce
- SHA256
  
  966cee8682727f4f09d137b4924ec6daeb7c0b9dcb8b9700be8c3e73c57c6b60
- SHA512
  
  e0359c601e59b56c1d5e324c85692b3f3db94adb1a2110c5fd3e6ab248475d27fa1f2aff86f57c0d99ae328cf4e68783a84af41049d7856c3b940ab6ef19b675
- SSDEEP
  
  98304:hmVrrT79MEH/TSbOJfUhEpZlm5qqCabiiSXiBuxIr7n:h2rlMEfTa6fUWlQzCaWiIsX
Score

10^/10

xworm defense_evasion discovery persistence rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoverypersistenceratthemidatrojan

behavioral2

defense_evasiondiscoverypersistencethemidatrojan

© 2018-2025

Terms | Privacy