xworm | 6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6 | Triage

Submit
Reports

Overview

overview

Static

static

1

6e1bd32502...e6.vbs

windows7-x64

6

6e1bd32502...e6.vbs

windows10-2004-x64

Sharing

General

Target

6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6.vbs
Size

106KB
Sample

250303-czvzdstqw6
MD5

0a499888377f40a43d7307bafa8cbd30
SHA1

82123a74391172f0b0d823b427b104661d0e6a33
SHA256

6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6
SHA512

dabcfa799a990d0ca8cede290e75bf76133a0c9cb157e2aa614145b4cc6bda7319b6e33c9d4f44fc7f97ae6e01aa30a123c6ca7ebb8bfc04da89d6dc14cd4052
SSDEEP

3072:4qBpaqQCcV4IptJpeCIxebt/uuqBPc+4wd4/w2ElZoaf:PpDyVptJX/hlQt4wdyalZoC

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6.vbs

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6.vbs

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6.vbs
- Size
  
  106KB
- MD5
  
  0a499888377f40a43d7307bafa8cbd30
- SHA1
  
  82123a74391172f0b0d823b427b104661d0e6a33
- SHA256
  
  6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6
- SHA512
  
  dabcfa799a990d0ca8cede290e75bf76133a0c9cb157e2aa614145b4cc6bda7319b6e33c9d4f44fc7f97ae6e01aa30a123c6ca7ebb8bfc04da89d6dc14cd4052
- SSDEEP
  
  3072:4qBpaqQCcV4IptJpeCIxebt/uuqBPc+4wd4/w2ElZoaf:PpDyVptJX/hlQt4wdyalZoC
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy