xworm | f9f35704de5a2355e9b8b7107613736b5501573cfb9794126867ccd73100ea98 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

FUD.vbs

windows7-x64

6

FUD.vbs

windows10-2004-x64

Sharing

General

Target

FUD.vbs
Size

325KB
Sample

250228-s4cava1sdx
MD5

d525be35ac5b7de70edb7c00529f1d83
SHA1

eef5cd4c355487132d225492acdc425fb0fe606d
SHA256

f9f35704de5a2355e9b8b7107613736b5501573cfb9794126867ccd73100ea98
SHA512

32e399504a0669e0c83872a947cf24955489f2b3f75dae83cec2798681f4249d6bac02f861436fcbf6b8d2321045ab7fbc6c006bf33ca1402429ce799e254830
SSDEEP

6144:PAbSQwEhvxxx06qUY2fVHavDdl8PI76KF51u7WJVzZF:PAbBlhqp2fZsDdlYI77BVlF

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

FUD.vbs

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

FUD.vbs

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

required-mold.gl.at.ply.gg:25146

feedback-both.gl.at.ply.gg:25146

192.168.1.223:25146

Attributes

Install_directory
%ProgramData%
install_file
Xclient.exe

Targets

- Target
  
  FUD.vbs
- Size
  
  325KB
- MD5
  
  d525be35ac5b7de70edb7c00529f1d83
- SHA1
  
  eef5cd4c355487132d225492acdc425fb0fe606d
- SHA256
  
  f9f35704de5a2355e9b8b7107613736b5501573cfb9794126867ccd73100ea98
- SHA512
  
  32e399504a0669e0c83872a947cf24955489f2b3f75dae83cec2798681f4249d6bac02f861436fcbf6b8d2321045ab7fbc6c006bf33ca1402429ce799e254830
- SSDEEP
  
  6144:PAbSQwEhvxxx06qUY2fVHavDdl8PI76KF51u7WJVzZF:PAbBlhqp2fZsDdlYI77BVlF
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy