Overview

overview

10

Static

static

7

XwormLoader.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XwormLoader.exe

  • Size

    7.8MB

  • Sample

    250306-1q36eayp15

  • MD5

    239e4c2d3e6553ad53ccc6172a6a11b8

  • SHA1

    f7313274cc27c47ca78a476541e0e30e84c4dcbc

  • SHA256

    fb05744e6285d0d7eaff70f7b303eb04ed24080af8c31e83b7da0bae16e2c216

  • SHA512

    76cce7ec3788db10a1886a27b862f5203c0c8d4294b79efb4512442d8b817be3ea3fb9777e5bacff90e38f14c84a60e319cff23e028dbd9567f4913d94b137f3

  • SSDEEP

    196608:7//b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr3:7/yvRZBEP3xZi5Oso+PWbXooL4Sa3

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

217.195.153.81:50000

Mutex

5UXpujbt6vWtkdEG

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

aes.plain

Targets

    • Target

      XwormLoader.exe

    • Size

      7.8MB

    • MD5

      239e4c2d3e6553ad53ccc6172a6a11b8

    • SHA1

      f7313274cc27c47ca78a476541e0e30e84c4dcbc

    • SHA256

      fb05744e6285d0d7eaff70f7b303eb04ed24080af8c31e83b7da0bae16e2c216

    • SHA512

      76cce7ec3788db10a1886a27b862f5203c0c8d4294b79efb4512442d8b817be3ea3fb9777e5bacff90e38f14c84a60e319cff23e028dbd9567f4913d94b137f3

    • SSDEEP

      196608:7//b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr3:7/yvRZBEP3xZi5Oso+PWbXooL4Sa3

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks