xworm

General

Target

PC X LEGEND BYPASS.exe
Size

1.9MB
Sample

250303-xr7y7swkx9
MD5

0f5d149cd2e3d53211053cc10ab5afe3
SHA1

7c6a746d3018e0c9c4fdbb0afeed5d763956614f
SHA256

3389ea0da70c332fb4e2cf1bf0ca290ed6c5ab35340d2e9d696e80e023e39436
SHA512

0350b4ab55667cc3fa3bb8c26f2e94439827e0d80f6d180c60e6aadc770c016c2ea37352e2a96e62378b2fcad091033658890553218c0efae536108bf5a93949
SSDEEP

49152:/iNOmow0zk3ArZeVuW4gPP9l9GBlyXXHeJGU6frQkwrM:qNkBkwrAutgH79GTQeJGRsDM

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:58112

Attributes

Install_directory
%AppData%
install_file
Realtek HD Audio Universal Service.exe

Targets

- Target
  
  PC X LEGEND BYPASS.exe
- Size
  
  1.9MB
- MD5
  
  0f5d149cd2e3d53211053cc10ab5afe3
- SHA1
  
  7c6a746d3018e0c9c4fdbb0afeed5d763956614f
- SHA256
  
  3389ea0da70c332fb4e2cf1bf0ca290ed6c5ab35340d2e9d696e80e023e39436
- SHA512
  
  0350b4ab55667cc3fa3bb8c26f2e94439827e0d80f6d180c60e6aadc770c016c2ea37352e2a96e62378b2fcad091033658890553218c0efae536108bf5a93949
- SSDEEP
  
  49152:/iNOmow0zk3ArZeVuW4gPP9l9GBlyXXHeJGU6frQkwrM:qNkBkwrAutgH79GTQeJGRsDM
Score

10^/10

xworm discovery rat trojan execution
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  PC X LEGEND BYPASS.exe
- Size
  
  2.7MB
- MD5
  
  ed35709f34c3b5397321d9e5e74269d5
- SHA1
  
  ff3559857290d6b93da5235a2cb15710dddc6238
- SHA256
  
  30e163bed4dab5e72bbba4803c00e8477b53c2e18edd14fb9ccd4d5567cf6932
- SHA512
  
  7710788db8907e58dc71052abc8584c2f59ebf566f626c9efcae9b65368d42fb85b1261beb8be3d0a4160f80600b69c49b16ece8ed5a393af4257591fe46f89d
- SSDEEP
  
  49152:r2b985QlCr73cVTwDGDMJ4Cyn7P2IJTX32YZP5gixIaFB+kn3Hnx:r2Z8BrwVzC42C32YZ+k1+k
Score

1^/10
behavioral3 behavioral4
- Target
  
  Realtek HD Audio Universal Service.exe
- Size
  
  53KB
- MD5
  
  ce3e5f8613ea049b651549eba3e3aa28
- SHA1
  
  1197375be314ae5a69f3b742f0f539b881aca09a
- SHA256
  
  9385116a4a3874548ffa027f4cd448d860ef8dc13fc687ce87790a01ede8e73a
- SHA512
  
  ab1428177b5ec71447003ac01f5f99d9c7f2af634f17ef53d6f6be196714faac856b0bc3f62b6fad9975dad970ec247d35f56615c62b9ad483426f4ecaae71c2
- SSDEEP
  
  768:/63AQe9cfNbv5s7Xol68y+JN/Db3dLPowu7aR6vaTOouhIZqklm:/WAQbdvoolZJ9b3dLPoCR68OnkZ8
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6