xworm | 64d831e8450b81d4b4a157c61f7e7f865afcb551acac1496a84ed4b5d3e55d8e | Triage

Submit
Reports

Overview

overview

Static

static

1

file.html

windows10-ltsc 2021-x64

Sharing

General

Target

file
Size

7KB
Sample

250305-e1257syqv4
MD5

038339f0bb533624c8dbb813e744763b
SHA1

e01dd4b05c56e82ea9876980e4872e05786bbf5c
SHA256

64d831e8450b81d4b4a157c61f7e7f865afcb551acac1496a84ed4b5d3e55d8e
SHA512

a6191a2fe2c610db58e75669767ee2a9a1cdc1db042f812c424c1c674e097ed572724c286af68c43d3f20f2948c323b9b3eda4d764883820b754fc96cb67071e
SSDEEP

192:PN2x2BnL7Bvo7q43g/mA0vzG8x59xmG9be0cOBCyU7fN:AxELtoO43g/mflx5nmGle0lGDN

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.html

Resource

win10ltsc2021-20250218-en

xworm discovery execution persistence rat trojan

windows10-ltsc 2021-x64

34 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Targets

- Target
  
  file
- Size
  
  7KB
- MD5
  
  038339f0bb533624c8dbb813e744763b
- SHA1
  
  e01dd4b05c56e82ea9876980e4872e05786bbf5c
- SHA256
  
  64d831e8450b81d4b4a157c61f7e7f865afcb551acac1496a84ed4b5d3e55d8e
- SHA512
  
  a6191a2fe2c610db58e75669767ee2a9a1cdc1db042f812c424c1c674e097ed572724c286af68c43d3f20f2948c323b9b3eda4d764883820b754fc96cb67071e
- SSDEEP
  
  192:PN2x2BnL7Bvo7q43g/mA0vzG8x59xmG9be0cOBCyU7fN:AxELtoO43g/mflx5nmGle0lGDN
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy