xworm | def5f494dc4f2f37b4465f17f37d014d7f3a0c5502155929377699ebc9a81647 | Triage

Submit
Reports

Overview

overview

Static

static

1

XWorm_V5.6.rar

windows7-x64

1

XWorm_V5.6.rar

windows10-2004-x64

Sharing

General

Target

XWorm_V5.6.rar
Size

22.6MB
Sample

250304-c7grqsxsfw
MD5

5068a3b417e90396aa1daf49ff040781
SHA1

8b1600e598af84986cd19205e7df7a5f8bd41290
SHA256

def5f494dc4f2f37b4465f17f37d014d7f3a0c5502155929377699ebc9a81647
SHA512

c1ea022b9a3238118cdf86a0784d39006167729f801f5d34139dfdab4e17f6df83126b2fc53c8490e29560b15683cf6cff40645718c8580fd7fc7246a7765136
SSDEEP

393216:C09aYD0TVEauWnA0NY5TiL+lQDXTFW8Y8CJqj6rzQIOl++mA34nZXS4IHek:NUYgp/ugVNYO+sZtYLQIO8+b3PF

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

XWorm_V5.6.rar

Resource

win7-20240903-en

windows7-x64

3 signatures

900 seconds

Behavioral task

behavioral2

Sample

XWorm_V5.6.rar

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

17 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

217.195.153.81:50000

Mutex

5UXpujbt6vWtkdEG

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  XWorm_V5.6.rar
- Size
  
  22.6MB
- MD5
  
  5068a3b417e90396aa1daf49ff040781
- SHA1
  
  8b1600e598af84986cd19205e7df7a5f8bd41290
- SHA256
  
  def5f494dc4f2f37b4465f17f37d014d7f3a0c5502155929377699ebc9a81647
- SHA512
  
  c1ea022b9a3238118cdf86a0784d39006167729f801f5d34139dfdab4e17f6df83126b2fc53c8490e29560b15683cf6cff40645718c8580fd7fc7246a7765136
- SSDEEP
  
  393216:C09aYD0TVEauWnA0NY5TiL+lQDXTFW8Y8CJqj6rzQIOl++mA34nZXS4IHek:NUYgp/ugVNYO+sZtYLQIO8+b3PF
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy