xworm | 7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e | Triage

Sharing

General

Target

7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e.exe
Size

851KB
Sample

250304-dds4caxvf1
MD5

28badf3eb1aa6ce975fee86e6ec1dc14
SHA1

8f19c7dbdde308e463b0412d73ea7083b1bcc816
SHA256

7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e
SHA512

eb5da8590065d4a289c75c4f3d3124ecc854398a7e846ddb2c2aec5d136817e393ce8881c539b08d0f3eee79e56ccab5dbe0e57054eccbe97769189cc73f356e
SSDEEP

12288:vWMnQ1Kfk7AEYQCJSsFlsIQfYl2N3qWkj9d/qArFK6eNXwC94EBTR+:uj7AEYQCQaKbA63+jPqAUNXjBBT0

Score

10^/10

xworm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

56TvElZMbqDoRvU7

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e.exe
- Size
  
  851KB
- MD5
  
  28badf3eb1aa6ce975fee86e6ec1dc14
- SHA1
  
  8f19c7dbdde308e463b0412d73ea7083b1bcc816
- SHA256
  
  7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e
- SHA512
  
  eb5da8590065d4a289c75c4f3d3124ecc854398a7e846ddb2c2aec5d136817e393ce8881c539b08d0f3eee79e56ccab5dbe0e57054eccbe97769189cc73f356e
- SSDEEP
  
  12288:vWMnQ1Kfk7AEYQCJSsFlsIQfYl2N3qWkj9d/qArFK6eNXwC94EBTR+:uj7AEYQCQaKbA63+jPqAUNXjBBT0
Score

10^/10

discovery xworm rat spyware stealer trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryratspywarestealertrojan