xworm | 73fb3918ca62572de658babcbcde7f5c198068913dd15bab65cbe8cff23c9526 | Triage

Sharing

General

Target

CelestialCrack (Celestial).zip
Size

141KB
Sample

250306-mt33xswwfs
MD5

fe3bc14f841a9cfe5298cf4aa96d9b5c
SHA1

a09da7db859564a215df9b8846fb78d80f436f43
SHA256

73fb3918ca62572de658babcbcde7f5c198068913dd15bab65cbe8cff23c9526
SHA512

f231509d216612e4f9364b3ccfe62106939e8a1ba7927583b9a440b0250b7c487f5748e640e576a28f5c86bd977e9d0e08fe63ae881a44340e07a110051185da
SSDEEP

3072:mjAQMURi09bzDlcEV4cA3qFDbqSzJkNRh4pMQf:IMUUiPObcA3qFjSh8t

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

add-springer.gl.at.ply.gg:60216

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  CelestialCrack.exe
- Size
  
  146KB
- MD5
  
  b9170d37ddb8bfbad5afd93a550232fa
- SHA1
  
  8004867d262c27f0b0464f7ed686cac434da024a
- SHA256
  
  ca13b369259edd192dad0120a8d267bc9aaa8cbd10232db2f011d7b043cfff32
- SHA512
  
  a224e9027049fedffcac56f4cb7f4acb0184c4ddea1f9bf1ed9a03141d06a9ba113f8cca55773932078668ccfc43a5fb20dfd7e5a72d443c0a43c9f5cf507a62
- SSDEEP
  
  3072:+tO3dom2hHDOxycn+XnQ5LueGKQGT2XgvL0fSUb6jYt:25mwm+A5Lu3O2XgkSvi
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormpersistencerattrojan