xworm | fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e | Triage

Submit
Reports

Overview

overview

Static

static

1

VMenu3.121fix1.bat

windows7-x64

8

VMenu3.121fix1.bat

windows10-2004-x64

Sharing

General

Target

VMenu3.121fix1.bat
Size

527KB
Sample

250305-ej7pcsykz2
MD5

3d1653ee332959fc6ea17400cdb636bd
SHA1

3a75f6b73477b63300bc1065caaa7c9af066b6b4
SHA256

fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e
SHA512

6eaaf2c0cd2322dcb9fcd71d030afaabaf13b0ed881fafe8db569da5cb2e196147045105067b3d5dc9aa80d2c61d44d6f063b82c74f6954b5bb956e4597e0b06
SSDEEP

6144:BLG0TmgMe4wGS6I4LjSAeEP3xI0r+/nBkJgrICpdZGz2LDpb5uZ8OaE2i88tmKb4:BCZgMe46AeSBHoBigr3ZnLjmsi4xq/G

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

VMenu3.121fix1.bat

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

VMenu3.121fix1.bat

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

operates-rna.with.playit.plus:4377

Attributes

Install_directory
%LocalAppData%
install_file
XClient2.0.exe

Targets

- Target
  
  VMenu3.121fix1.bat
- Size
  
  527KB
- MD5
  
  3d1653ee332959fc6ea17400cdb636bd
- SHA1
  
  3a75f6b73477b63300bc1065caaa7c9af066b6b4
- SHA256
  
  fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e
- SHA512
  
  6eaaf2c0cd2322dcb9fcd71d030afaabaf13b0ed881fafe8db569da5cb2e196147045105067b3d5dc9aa80d2c61d44d6f063b82c74f6954b5bb956e4597e0b06
- SSDEEP
  
  6144:BLG0TmgMe4wGS6I4LjSAeEP3xI0r+/nBkJgrICpdZGz2LDpb5uZ8OaE2i88tmKb4:BCZgMe46AeSBHoBigr3ZnLjmsi4xq/G
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy