xworm | d7940abb64258b63400551aa4e6c61b854c5c7c36229e0d620cf3c0de6a108dd | Triage

Sharing

General

Target

FakeExodus.zip
Size

10KB
Sample

250228-mbwacsx1gz
MD5

c3a049d9c7f24f1ac90f70305755260a
SHA1

ad795d2a6e4c6fba77bd87a523158204d8982c36
SHA256

d7940abb64258b63400551aa4e6c61b854c5c7c36229e0d620cf3c0de6a108dd
SHA512

6f6801f3f8eea5e91ac3a663549b27c53559473a9cafcbf505bb6c6a3d5fb0599d0a84c8bcfe0c9805e298c1eb5706ae203c09082045d2242c89f3e6b6562408
SSDEEP

192:FOhx6gpVzbv8TZcwHxiWvn4yKMPIDruLjUg8Rg8kHsEYIw9Jj4WjMqZhLzpB:ex6gphET/H4yM/uLjdEg8QsEYIeRgqXj

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Targets

- Target
  
  ExodusInject.exe
- Size
  
  22KB
- MD5
  
  2413e853a7f6a0d408c63b2e8abf75e0
- SHA1
  
  6ccc5acb681939cfb1ae68dfc6f002766b36dbc8
- SHA256
  
  dd9f12854b6d98f9e2cc6793d2a8a32e3286564ac461f2ba1eb68f14fabf6e7f
- SHA512
  
  b1701bdefdc1731711deae7b73068107a6249a82c5c7a1b50eb8769b55a9804aad8e9a8a26ce3907828e68fde485fdd250632cf637869b9b6ec593247e430654
- SSDEEP
  
  384:euZ3wE2G30I0v+cRODlBEI/ix73EdtiMuSU5iBX8VQ9mCo3Qtf:kG338+cRwyZIdxuSUuMVp3Qtf
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan