xworm | 9e8ba783a127bc7bcd386673131e370b1fcd5367d28a002e244b0094c0bd7b5a | Triage

Sharing

General

Target

mmmmm.exe
Size

650KB
Sample

250301-ra2g7sswaw
MD5

0ec384b7321f9f1541c1bc606174ece0
SHA1

50a80a859e24aebe6dfc4d0b87fee07874b41bd0
SHA256

9e8ba783a127bc7bcd386673131e370b1fcd5367d28a002e244b0094c0bd7b5a
SHA512

3365865fb6c56f3ba12c7366afad8dd68af859c3886a3e7c589eaa6b6725cc7423106dc4f64a2e56e7e248004faf05dc0b99baaed01e739a1ed9bf01bbf6bcee
SSDEEP

12288:oCBUW9ge15I4ScpG1Im6wPeVdtNuxjAYVUWAJ:oCBUKd5Pp6QwP6jw

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

brb.uncofig.com:305

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7935744596:AAHAXFaaixQPFwn0W2W8vzi89smaPwFqxoA/sendMessage?chat_id=1048345160

Targets

- Target
  
  mmmmm.exe
- Size
  
  650KB
- MD5
  
  0ec384b7321f9f1541c1bc606174ece0
- SHA1
  
  50a80a859e24aebe6dfc4d0b87fee07874b41bd0
- SHA256
  
  9e8ba783a127bc7bcd386673131e370b1fcd5367d28a002e244b0094c0bd7b5a
- SHA512
  
  3365865fb6c56f3ba12c7366afad8dd68af859c3886a3e7c589eaa6b6725cc7423106dc4f64a2e56e7e248004faf05dc0b99baaed01e739a1ed9bf01bbf6bcee
- SSDEEP
  
  12288:oCBUW9ge15I4ScpG1Im6wPeVdtNuxjAYVUWAJ:oCBUKd5Pp6QwP6jw
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormpersistencerattrojan