xworm | d49c722e1131ba0f485329ace558071e28b797672d2a80e98dd3c52afe36268e | Triage

Sharing

General

Target

Account_Access_Alert_March05_2025_Report.lzh.rar
Size

36KB
Sample

250305-q3l3jszwby
MD5

2caded0dda6fb2e3eac9591ab15dcb6d
SHA1

57411055cc6f06c3e212ce77c7b19dea2a351003
SHA256

d49c722e1131ba0f485329ace558071e28b797672d2a80e98dd3c52afe36268e
SHA512

60dc15eb45af554c1698a084e317a2093355f17ff0adbc0c45df3bca4264aeb3ba341564e3b8026a1eaeb5e026a57e1cd9f355e26073a7e874120eab1af95121
SSDEEP

768:PRJQqiC29mKQqMXJCFd7a90W/im9JdKruYmBF5pnak/mO2d0:P4qZ2gKQqKmd71OnJ+u5BF5pak/PO0

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remnew25.duckdns.org:3984

Mutex

XqNiNJ9BHQEGZDPh

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Account_Access_Alert_March05_2025_Report.bat
- Size
  
  66KB
- MD5
  
  884179d856f1870b50ee3b0ca606ca8a
- SHA1
  
  12f60d3393ac5e5c93637c168cc678b05aec183a
- SHA256
  
  02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f
- SHA512
  
  ccac70be4a34a296010541496ada60763fcc460140956fb44d4051c84b2225109bb8fa68ee3d0ea4755d33ad39cba179883560bb7eae95b351dbc5204f39c50f
- SSDEEP
  
  1536:IjfS0G9/uMZf+dCwNsHbsFfKi2lkH0ZkbmEKUgXEXzICKUnFhGg:f9/uzdCwNs7wZ2GHZHfTGg
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan