xworm | eed83e7510bd8497fad0f0b65455e8afa0531b9833357ad75934ff8df0a7896a | Triage

Submit
Reports

Overview

overview

Static

static

MasonSpoofer.exe

windows7-x64

MasonSpoofer.exe

windows10-2004-x64

Sharing

General

Target

MasonSpoofer.exe
Size

54KB
Sample

250305-tf782ssny4
MD5

4d0c7560ec5c28a513a9fde9838547e8
SHA1

66393d9c9e6b3a9f4d38b6bc9161d28e7a7b2ffd
SHA256

eed83e7510bd8497fad0f0b65455e8afa0531b9833357ad75934ff8df0a7896a
SHA512

77df7c7dcd8a29cc8c83c074902e90f0f3ade77ca726ef33c543c8877112f5f5ea424ff003d720f3ddc9ec8683d712dcc9760b9e22b89fcfaa5f5ea2409fac11
SSDEEP

1536:vi5XmXObBvFn2TzqbLho8I/HusbOznuf:vcvF2SbLhu/HusbOzuf

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

MasonSpoofer.exe

Resource

win7-20240903-en

xworm execution rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

MasonSpoofer.exe

Resource

win10v2004-20250217-en

xworm defense_evasion execution persistence rat trojan

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Targets

- Target
  
  MasonSpoofer.exe
- Size
  
  54KB
- MD5
  
  4d0c7560ec5c28a513a9fde9838547e8
- SHA1
  
  66393d9c9e6b3a9f4d38b6bc9161d28e7a7b2ffd
- SHA256
  
  eed83e7510bd8497fad0f0b65455e8afa0531b9833357ad75934ff8df0a7896a
- SHA512
  
  77df7c7dcd8a29cc8c83c074902e90f0f3ade77ca726ef33c543c8877112f5f5ea424ff003d720f3ddc9ec8683d712dcc9760b9e22b89fcfaa5f5ea2409fac11
- SSDEEP
  
  1536:vi5XmXObBvFn2TzqbLho8I/HusbOznuf:vcvF2SbLhu/HusbOzuf
Score

10^/10

xworm execution rat trojan defense_evasion persistence
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormdefense_evasionexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy