xworm | 572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80 | Triage

Submit
Reports

Overview

overview

Static

static

572667ee81...80.exe

windows7-x64

572667ee81...80.exe

windows10-2004-x64

Sharing

General

Target

572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80
Size

75KB
Sample

250126-q3ch4stral
MD5

b923f5cc55cd2026709dd9cf2769a774
SHA1

72b6dc0ed5f068c2f6caffbf25a690c416df334d
SHA256

572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80
SHA512

cf146b11d49f4de41e0eb40fa6a6aac489dc11ad0cb2a918298e6c6c955ebcd280d8530f92f2428e67ffd0a6c5f5d6c054b760337a6e27209d1ce23e5d55a959
SSDEEP

1536:/2Q5pJiB6uawKjPFNN3GOU60s6wBecnbSxa++aD63BsWF/GOGAWYR:/2Q5bi9bA4cnbSE2m/GOG0R

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80.exe

Resource

win7-20241023-en

xworm execution persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80.exe

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

political-antivirus.gl.at.ply.gg:28319

Attributes

Install_directory
%LocalAppData%
install_file
java_host.exe

Targets

- Target
  
  572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80
- Size
  
  75KB
- MD5
  
  b923f5cc55cd2026709dd9cf2769a774
- SHA1
  
  72b6dc0ed5f068c2f6caffbf25a690c416df334d
- SHA256
  
  572667ee8147be27b09a4b68b5aa14cd60bf2e25a2a1a09264f94a329d37ff80
- SHA512
  
  cf146b11d49f4de41e0eb40fa6a6aac489dc11ad0cb2a918298e6c6c955ebcd280d8530f92f2428e67ffd0a6c5f5d6c054b760337a6e27209d1ce23e5d55a959
- SSDEEP
  
  1536:/2Q5pJiB6uawKjPFNN3GOU60s6wBecnbSxa++aD63BsWF/GOGAWYR:/2Q5bi9bA4cnbSE2m/GOG0R
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy