xworm

Target

ExodusInject.exe
Size

227KB
Sample

250305-3ywseatky2
MD5

38b7704d2b199559ada166401f1d51c1
SHA1

3376eec35cd4616ba8127b976a8667e7a0aac87d
SHA256

153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564
SHA512

07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27
SSDEEP

3072:iBIVzZQgudhV3mypQgbNjcEHBAnpK37nXY8q004Q78ePsi74tyJhbgKL/VoilIBS:Ur3mypQX8mOeP/9/VtLGH+8l

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Targets

- Target
  
  ExodusInject.exe
- Size
  
  227KB
- MD5
  
  38b7704d2b199559ada166401f1d51c1
- SHA1
  
  3376eec35cd4616ba8127b976a8667e7a0aac87d
- SHA256
  
  153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564
- SHA512
  
  07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27
- SSDEEP
  
  3072:iBIVzZQgudhV3mypQgbNjcEHBAnpK37nXY8q004Q78ePsi74tyJhbgKL/VoilIBS:Ur3mypQX8mOeP/9/VtLGH+8l
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Drops startup file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5