Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Resubmissions

02/03/2025, 17:23

250302-vylcnsy1gt 10

02/03/2025, 17:21

250302-vwyvzszmt9 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

  • Sample

    250302-vwyvzszmt9

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes
  • Install_directory

    %AppData%

  • install_file

    kev.exe

aes.plain

Targets

    • Target

      https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks