xworm | bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6 | Triage

Sharing

General

Target

fsdjgfsdhnfgsd.bat
Size

65KB
Sample

250304-qzz51aslw2
MD5

e6ee7aca370346191e07ae542b95cb8c
SHA1

0a2376a42bd1639cab1909e22ad423a4cefab293
SHA256

bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
SHA512

7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
SSDEEP

1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.144.212.242:7000

Mutex

GHrcTVoc3c8G04bh

Attributes

Install_directory
%AppData%
install_file
SubDir.exe

aes.plain

Targets

- Target
  
  fsdjgfsdhnfgsd.bat
- Size
  
  65KB
- MD5
  
  e6ee7aca370346191e07ae542b95cb8c
- SHA1
  
  0a2376a42bd1639cab1909e22ad423a4cefab293
- SHA256
  
  bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
- SHA512
  
  7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
- SSDEEP
  
  1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop
Score

10^/10

xworm defense_evasion execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasionexecutionpersistencerattrojan