xworm | 0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94 | Triage

Sharing

General

Target

ASASQSQ.exe
Size

1.7MB
Sample

250305-2nwh8a1vhs
MD5

1f583cdad39718a3bbb8b25b44ec2ce1
SHA1

fcf80c45499f3f42506e3bbc1cadd4103380b8db
SHA256

0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94
SHA512

91dbcc3dbb43e64d02392a67c1d9fa80b7aafd1c4759b78fb6dbd3f55940c7dc05c00d0091b070c17400ce3a78c3fd3f3ef579604d0c2d5bed39d476bb7f9f57
SSDEEP

49152:qjQ3JroNE7cZchtwBqN9smtUI1293vaRSO3:qcwE7ichtMY9suUIyQf

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.26:38655

Attributes

Install_directory
%AppData%
install_file
♬ ♬.exe

Targets

- Target
  
  ASASQSQ.exe
- Size
  
  1.7MB
- MD5
  
  1f583cdad39718a3bbb8b25b44ec2ce1
- SHA1
  
  fcf80c45499f3f42506e3bbc1cadd4103380b8db
- SHA256
  
  0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94
- SHA512
  
  91dbcc3dbb43e64d02392a67c1d9fa80b7aafd1c4759b78fb6dbd3f55940c7dc05c00d0091b070c17400ce3a78c3fd3f3ef579604d0c2d5bed39d476bb7f9f57
- SSDEEP
  
  49152:qjQ3JroNE7cZchtwBqN9smtUI1293vaRSO3:qcwE7ichtMY9suUIyQf
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  XClient.exe
- Size
  
  210KB
- MD5
  
  6f44d5dd4b1fb7c1d2aaefa76c078a22
- SHA1
  
  d4f08c5390c240e9b049d17d9e194143cff780df
- SHA256
  
  cf964077390a9d3ae946829975483f8aae1da1cd2a0385cc66107e4b84e56a18
- SHA512
  
  12ef5efa88531b62961d2f13ab32a9b1fb6ba39eca6d2916d217a73765adfe62f4438d2e4b70032aee1f0b376082a633b2cab8082170007d2a8d51a8f0e45824
- SSDEEP
  
  3072:oKikaK+b/lP5o74RkpOIhIW+xRUGKXs+S++7KFSbxeY+qDDrMr:okaK+b/Z8X60GqStKEbxI
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  es^p Supreme V1.exe
- Size
  
  2.4MB
- MD5
  
  13bab5a9b8cf9299313bd11fb57b0d2a
- SHA1
  
  9c2b902d6aa01085b0a2a8def75a47852fa316cd
- SHA256
  
  f517cf20ddc450820ebddf607250dcfb6c9643c5a58b017118acadf7da181d2e
- SHA512
  
  c1e6afbf3d187ea50735440a9525156cf225c0ffe62e5182568b7fffa1fd3c297074cdcc036f2babb53121f08439e8aeaa148910c3ca891aeb52764be6f19ca4
- SSDEEP
  
  24576:XhsF5j4KSASvlQ0sIbpt7g8K7eUqduqPnOhEOPNb5oF87MR9eno8YdnNyBo4kx9S:KFRn0Iwphk7eTUen2PN9/B+kn3Hnx
Score

1^/10
behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryrattrojan

behavioral2

behavioral3