xworm | 2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7 | Triage

Submit
Reports

Overview

overview

Static

static

3

NHCUR_Boot...ew.exe

windows7-x64

NHCUR_Boot...ew.exe

windows10-2004-x64

Sharing

General

Target

NHCUR_BootstrapperNew.exe
Size

2.9MB
Sample

250304-1enata1xbv
MD5

8f4833925c458ee2c6b40ef0e0b978f0
SHA1

f37823826806dfe3ab30f6f92ee9807ca3265332
SHA256

2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7
SHA512

88b81b3d204b6ef0234740a0795659f6a924b5106a80cac8d4d174a48003285b395598952de6c03075f15b3cf1055d86d3e604b1346eb8285f098dc71f0e4e97
SSDEEP

49152:8gnJGTce2a1Qo0JjdjW62omu2pCoXghq86WKAlQAd882TQaa0t/s/LAZ42Q:tE4eBOo0JjdjpJcNA9882kJbMC

Score

10^/10

xworm defense_evasion discovery rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NHCUR_BootstrapperNew.exe

Resource

win7-20240903-en

xworm defense_evasion discovery rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

NHCUR_BootstrapperNew.exe

Resource

win10v2004-20250217-en

xworm defense_evasion discovery rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Targets

- Target
  
  NHCUR_BootstrapperNew.exe
- Size
  
  2.9MB
- MD5
  
  8f4833925c458ee2c6b40ef0e0b978f0
- SHA1
  
  f37823826806dfe3ab30f6f92ee9807ca3265332
- SHA256
  
  2da50060f34dbe8ae3cb42988efbe40546eba522f090958013b3e47178aa04c7
- SHA512
  
  88b81b3d204b6ef0234740a0795659f6a924b5106a80cac8d4d174a48003285b395598952de6c03075f15b3cf1055d86d3e604b1346eb8285f098dc71f0e4e97
- SSDEEP
  
  49152:8gnJGTce2a1Qo0JjdjW62omu2pCoXghq86WKAlQAd882TQaa0t/s/LAZ42Q:tE4eBOo0JjdjpJcNA9882kJbMC
Score

10^/10

xworm defense_evasion discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryrattrojan

behavioral2

xwormdefense_evasiondiscoveryrattrojan

© 2018-2025

Terms | Privacy