xworm | f9e9cfcbfa002e658ecd00139a0296fbe45a792a2b702977038052157f5b20bd | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

WindowsApp1.exe

windows7-x64

WindowsApp1.exe

windows10-2004-x64

Sharing

General

Target

WindowsApp1.exe
Size

445KB
Sample

250228-2bhrla1n17
MD5

1dcabe3dc774fda8e7bd918e5e488e49
SHA1

3625daa16af09ca2eeedbc881170efadf61a8860
SHA256

f9e9cfcbfa002e658ecd00139a0296fbe45a792a2b702977038052157f5b20bd
SHA512

72bdca6af42b2ecf05ad97c240285ad08ec313898198b739ede44dec097f5cc3b51567634c1a54f65e0425b882c53a80a9a7926488db70378a0a8e7d0217d599
SSDEEP

6144:P0IYduQNZhK5xvyEx5DLc8PVVaqZ/f6fnUeEhMOzdVPJEnwC/auXq++uIuAVU:cItQN04+pVVaqtyfnqM4ewCF3HIuA

Score

10^/10

xworm rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WindowsApp1.exe

Resource

win7-20241010-en

xworm rat trojan

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

WindowsApp1.exe

Resource

win10v2004-20250217-en

xworm rat trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes

Install_directory
%AppData%
install_file
kev.exe

aes.plain

Targets

- Target
  
  WindowsApp1.exe
- Size
  
  445KB
- MD5
  
  1dcabe3dc774fda8e7bd918e5e488e49
- SHA1
  
  3625daa16af09ca2eeedbc881170efadf61a8860
- SHA256
  
  f9e9cfcbfa002e658ecd00139a0296fbe45a792a2b702977038052157f5b20bd
- SHA512
  
  72bdca6af42b2ecf05ad97c240285ad08ec313898198b739ede44dec097f5cc3b51567634c1a54f65e0425b882c53a80a9a7926488db70378a0a8e7d0217d599
- SSDEEP
  
  6144:P0IYduQNZhK5xvyEx5DLc8PVVaqZ/f6fnUeEhMOzdVPJEnwC/auXq++uIuAVU:cItQN04+pVVaqtyfnqM4ewCF3HIuA
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2025

Terms | Privacy