xworm | e7ef39b259c49829ba5c285e8dd1bbd7e8a04905c42ecceee2ccc2741dd5345e | Triage

Sharing

General

Target

SWAT-Raider.zip
Size

13.4MB
Sample

250305-yzvjhsyjz5
MD5

479add3be7e9737a382fd3a4896b4c5a
SHA1

e96c9f34a09c29dc37bc1fa9e56e90cd08dcef40
SHA256

e7ef39b259c49829ba5c285e8dd1bbd7e8a04905c42ecceee2ccc2741dd5345e
SHA512

670c7a3288105ccce9bfaed48be4b49438ff74dd5f286a77fb8f0715299221488b2a687b4c5ec362e26d7d13ab654187814491566fcd506f37263b9d78381982
SSDEEP

393216:/SnnSN8LRcVLM4RHRnXHmeh0Vc3w5SO7rf2drOp91rtqXxFCye:qnnL2VLZFhXHV37O772NGM6ye

Score

10^/10

xworm execution pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

meowycatty.ddns.net:8843

Mutex

0E4VwJ2aWKHLu9kc

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  SWAT.exe
- Size
  
  13.6MB
- MD5
  
  96ee42a2e614609841880141fc3b1b3b
- SHA1
  
  1d0bfeabfcbe823bcb32a39b3fe10f7222c44224
- SHA256
  
  8f91cb9e705bebe84ceefa2ea5d38d96ac2931d53e0b26b2fec13277a6d8e9bc
- SHA512
  
  fde72f7ed57dbf3b6983c4640c2a38d65820d33537464f89c86084397d932e952ef6fff3952a88c15e348825e10a969f6d5a2e7741060ea445634fffd4ca9aa5
- SSDEEP
  
  393216:CvLr0Qv5xpUTLfhJe1+TtIiFvY9Z8D8CclG53x4qIhixkK:Ctv57UTLJE1QtI6a8DZc0xAxK
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan