xworm | 0b6f399b1b5e976944d903b553343fa00c0af1dacecfcb161b7018c3282c8c8d | Triage

Sharing

General

Target

Sukioshe.API.bat
Size

102KB
Sample

250304-q3j8ysslz8
MD5

378a551aa3a4c5e0adec167eaa224b24
SHA1

0f55fd5a8bae0149321975f44599314ca96d954d
SHA256

0b6f399b1b5e976944d903b553343fa00c0af1dacecfcb161b7018c3282c8c8d
SHA512

a291af2e59ac3db474a6139b6ce2d672d6c556a61bc7ec0360e32565d93c5a1d8c71b7306826232fb78749b6b0a72787763b7ca94e2cda38b0afbcb9ab0e890e
SSDEEP

1536:y1YNBiAGQ4g3JGPFSutTsn5zr73oWiA6WwprhyIha1CjRAoH28oKN34rmeeS3BQe:Hf0Qn3CFSutIHwp9yJCj+oWC45eWKe

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

45.88.91.101:7000

Attributes

Install_directory
%AppData%
install_file
win32.exe

Targets

- Target
  
  Sukioshe.API.bat
- Size
  
  102KB
- MD5
  
  378a551aa3a4c5e0adec167eaa224b24
- SHA1
  
  0f55fd5a8bae0149321975f44599314ca96d954d
- SHA256
  
  0b6f399b1b5e976944d903b553343fa00c0af1dacecfcb161b7018c3282c8c8d
- SHA512
  
  a291af2e59ac3db474a6139b6ce2d672d6c556a61bc7ec0360e32565d93c5a1d8c71b7306826232fb78749b6b0a72787763b7ca94e2cda38b0afbcb9ab0e890e
- SSDEEP
  
  1536:y1YNBiAGQ4g3JGPFSutTsn5zr73oWiA6WwprhyIha1CjRAoH28oKN34rmeeS3BQe:Hf0Qn3CFSutIHwp9yJCj+oWC45eWKe
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan

behavioral2

xwormdefense_evasionexecutionpersistencerattrojan