xworm | a6382c10dfd269e3315fe4cdfb158c00aea1a179450cf3d3b633acf7e2123d74 | Triage

Sharing

General

Target

vt0.msi
Size

39.9MB
Sample

250228-lnempsyms5
MD5

58729f548d660722ab09292e15a0fe45
SHA1

8a29bb19fd4f42fc4ef1af32d65265fb152b6f99
SHA256

a6382c10dfd269e3315fe4cdfb158c00aea1a179450cf3d3b633acf7e2123d74
SHA512

fa75ab3e28d829f39b14fd9e490d7247e102a81ff668468bd44cfc9c553e1f44d7df9d71d8e4517cdd086e23bae192ee1cad0ca96c57f465c4e8dc4ee539e0e2
SSDEEP

786432:CueucOCp8Ax4Hl/wBg1z9/XUbEBWExPRXG5pYolpXOUGPY9E9jzfGnHvga4I8Q:Cue3NpJx4tRz9CoPRXWYHHNJbGnP

Score

10^/10

xworm defense_evasion discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.197.33.29:7000

Mutex

3MKBwUt55yRv3NZh

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  vt0.msi
- Size
  
  39.9MB
- MD5
  
  58729f548d660722ab09292e15a0fe45
- SHA1
  
  8a29bb19fd4f42fc4ef1af32d65265fb152b6f99
- SHA256
  
  a6382c10dfd269e3315fe4cdfb158c00aea1a179450cf3d3b633acf7e2123d74
- SHA512
  
  fa75ab3e28d829f39b14fd9e490d7247e102a81ff668468bd44cfc9c553e1f44d7df9d71d8e4517cdd086e23bae192ee1cad0ca96c57f465c4e8dc4ee539e0e2
- SSDEEP
  
  786432:CueucOCp8Ax4Hl/wBg1z9/XUbEBWExPRXG5pYolpXOUGPY9E9jzfGnHvga4I8Q:Cue3NpJx4tRz9CoPRXWYHHNJbGnP
Score

10^/10

defense_evasion discovery persistence privilege_escalation xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Access Token Manipulation

Create Process with Token

Event Triggered Execution

Installer Packages

Defense Evasion

Access Token Manipulation

Create Process with Token

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoverypersistenceprivilege_escalation

behavioral2

xwormdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojan