xworm | 39532fe4477427729c951df53e455c6e67925adf3920138063e0064531ccc1c4 | Triage

Submit
Reports

Overview

overview

Static

static

1

skibidigenesis.bat

windows7-x64

8

skibidigenesis.bat

windows10-2004-x64

Sharing

General

Target

skibidigenesis.bat
Size

397KB
Sample

250304-3vf8jstnw7
MD5

72c4399da0d8899b4e60ba732d20ac70
SHA1

ff22be71d8e3be9473c711a997619804588c8dbc
SHA256

39532fe4477427729c951df53e455c6e67925adf3920138063e0064531ccc1c4
SHA512

58a928f109ae7a1ef307ca7babfe44ed218095d2bd7f4d637acf1d145be6d7fbb95d038d743c42b72f605c77fe5cbca603baca224e36e48e4c063ebb1b20a6df
SSDEEP

12288:1+WS3omtKVLLk59mhJi1GKIuVHhp3oPOLxc1jAFtr3kggy:QWBDLQ54kHjoP4iVobkggy

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

skibidigenesis.bat

Resource

win7-20241010-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

skibidigenesis.bat

Resource

win10v2004-20250217-en

xworm defense_evasion discovery execution rat trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:59410

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  skibidigenesis.bat
- Size
  
  397KB
- MD5
  
  72c4399da0d8899b4e60ba732d20ac70
- SHA1
  
  ff22be71d8e3be9473c711a997619804588c8dbc
- SHA256
  
  39532fe4477427729c951df53e455c6e67925adf3920138063e0064531ccc1c4
- SHA512
  
  58a928f109ae7a1ef307ca7babfe44ed218095d2bd7f4d637acf1d145be6d7fbb95d038d743c42b72f605c77fe5cbca603baca224e36e48e4c063ebb1b20a6df
- SSDEEP
  
  12288:1+WS3omtKVLLk59mhJi1GKIuVHhp3oPOLxc1jAFtr3kggy:QWBDLQ54kHjoP4iVobkggy
Score

10^/10

execution xworm defense_evasion discovery rat trojan
- Detect Xworm Payload
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy