xworm

General

Target

Moon.exe
Size

41KB
Sample

250305-r23jks1nv9
MD5

79ca2a46df28a9a70c5ba71f9eea8d36
SHA1

297a87b733dc22a1035a98298951be9dd2fc4fda
SHA256

dd0e5bd5e2da4e1ab0c802e95a487197bc7bebacbf830443ff227a62fe44d575
SHA512

d5d5cf8a6ca33d1622917d7b089dbc929112d4140f53c165d0ebd192ea2304f1fdf1460b39dadd113ffdd954338c920be6bfe0b41c2fe0967c5f13c357337e8a
SSDEEP

768:k7toUOeMve8DjdCAr43M4fJF5Pa9p+cH6iOwhP3/mbM:wfBMvewZRrcRF49IcH6iOwF+I

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:4288

rtpj6edci.localto.net:4288

vt3f0udxm.localto.net:4288

Mutex

boy2Lg5CZcIWXAGm

Attributes

Install_directory
%Temp%
install_file
SubDir.exe

aes.plain

Targets

- Target
  
  Moon.exe
- Size
  
  41KB
- MD5
  
  79ca2a46df28a9a70c5ba71f9eea8d36
- SHA1
  
  297a87b733dc22a1035a98298951be9dd2fc4fda
- SHA256
  
  dd0e5bd5e2da4e1ab0c802e95a487197bc7bebacbf830443ff227a62fe44d575
- SHA512
  
  d5d5cf8a6ca33d1622917d7b089dbc929112d4140f53c165d0ebd192ea2304f1fdf1460b39dadd113ffdd954338c920be6bfe0b41c2fe0967c5f13c357337e8a
- SSDEEP
  
  768:k7toUOeMve8DjdCAr43M4fJF5Pa9p+cH6iOwhP3/mbM:wfBMvewZRrcRF49IcH6iOwF+I
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2