xworm | dd9f12854b6d98f9e2cc6793d2a8a32e3286564ac461f2ba1eb68f14fabf6e7f | Triage

Sharing

General

Target

ExodusInject.exe
Size

22KB
Sample

250228-mdjpcax1hx
MD5

2413e853a7f6a0d408c63b2e8abf75e0
SHA1

6ccc5acb681939cfb1ae68dfc6f002766b36dbc8
SHA256

dd9f12854b6d98f9e2cc6793d2a8a32e3286564ac461f2ba1eb68f14fabf6e7f
SHA512

b1701bdefdc1731711deae7b73068107a6249a82c5c7a1b50eb8769b55a9804aad8e9a8a26ce3907828e68fde485fdd250632cf637869b9b6ec593247e430654
SSDEEP

384:euZ3wE2G30I0v+cRODlBEI/ix73EdtiMuSU5iBX8VQ9mCo3Qtf:kG338+cRwyZIdxuSUuMVp3Qtf

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Targets

- Target
  
  ExodusInject.exe
- Size
  
  22KB
- MD5
  
  2413e853a7f6a0d408c63b2e8abf75e0
- SHA1
  
  6ccc5acb681939cfb1ae68dfc6f002766b36dbc8
- SHA256
  
  dd9f12854b6d98f9e2cc6793d2a8a32e3286564ac461f2ba1eb68f14fabf6e7f
- SHA512
  
  b1701bdefdc1731711deae7b73068107a6249a82c5c7a1b50eb8769b55a9804aad8e9a8a26ce3907828e68fde485fdd250632cf637869b9b6ec593247e430654
- SSDEEP
  
  384:euZ3wE2G30I0v+cRODlBEI/ix73EdtiMuSU5iBX8VQ9mCo3Qtf:kG338+cRwyZIdxuSUuMVp3Qtf
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan