xworm | 463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d | Triage

Submit
Reports

Overview

overview

Static

static

3

Rexon-Paid...or.exe

windows7-x64

Rexon-Paid...or.exe

windows10-2004-x64

Sharing

General

Target

Rexon-Paid_Executor.exe
Size

1.9MB
Sample

250303-atp5vazybz
MD5

767e47b7200526d6d7b9f82d7d350523
SHA1

7c3c57726639fd44cab7a0014e5cad278386cb6f
SHA256

463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d
SHA512

a467c77065293aca2c6bebc3c84c6b5584bd808cf7c8fe53794f02224a401eaebac7b7255ae1ef7081bc17b57abd1116e47a51b87b0f02bc41668f702da139f4
SSDEEP

49152:ZCCiwOpZt1fyR59Z48fjQs9vlaEaBf6xxCWFWV/:gHjpAfrQw9i6xIWFc/

Score

10^/10

xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Rexon-Paid_Executor.exe

Resource

win7-20240903-en

xworm persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Rexon-Paid_Executor.exe

Resource

win10v2004-20250217-en

xworm persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

display-equivalent.gl.at.ply.gg:12744

Mutex

SkjG4THxcPjCb6Fx

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  Rexon-Paid_Executor.exe
- Size
  
  1.9MB
- MD5
  
  767e47b7200526d6d7b9f82d7d350523
- SHA1
  
  7c3c57726639fd44cab7a0014e5cad278386cb6f
- SHA256
  
  463d3278d31d58a43d7ee5716fc7040ca7f454778ff82595ae67e416a7219b0d
- SHA512
  
  a467c77065293aca2c6bebc3c84c6b5584bd808cf7c8fe53794f02224a401eaebac7b7255ae1ef7081bc17b57abd1116e47a51b87b0f02bc41668f702da139f4
- SSDEEP
  
  49152:ZCCiwOpZt1fyR59Z48fjQs9vlaEaBf6xxCWFWV/:gHjpAfrQw9i6xIWFc/
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy