xworm

General

Target

Nurik 1.16 crack (infected)_2.zip
Size

725KB
Sample

250306-nje4saxp13
MD5

c8d1c0513b0d5a6270c063fae014f87c
SHA1

61a376cf8a42dcdf300867e596933f6d956efac8
SHA256

c42f18ec71756e7e53ed0b7e9c5c7862ff04d2954eb5a56a534a735b2b3b034b
SHA512

1ea53db181a53f854493809cbb2b2849f9440870cd9aaf569351c69cc1dbb1061b0d14bf1a614c84d56383f741af0534d500118c79c560ab2aca54776968b42d
SSDEEP

12288:W6vL9RqmZf4Mf030dBV1YiIcHYMJ5S42UbJtYg9BFjA4tdsVzZY4G0gUypa/uK7l:jPFp034z1Yi34GSBUbJt04vkY4c7c/u8

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

funds-skating.gl.at.ply.gg:28367

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Targets

- Target
  
  CrackLauncher.exe
- Size
  
  602KB
- MD5
  
  3f130f5434b8e3f910ed4728752d0d90
- SHA1
  
  25451b8025d529012b81e38493c42c682337b148
- SHA256
  
  c3d4c0d6d8bdb25a0982bb01524aea9383f4c2cfbfebdbca2982594f6d675032
- SHA512
  
  63eceae915c2c7a69c2c8238d55fc595e01971ba207d7a853617cd75040bb6542228a73cd0946174bdd380f541a072efb1d01ae674182155f76cb98672330e75
- SSDEEP
  
  12288:YkHpR0q8/RBgTmBbbFHOyml6bmqNjIabY1IY6QcBo:Nqp4xqd3o
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  CrackLauncher.exe
- Size
  
  602KB
- MD5
  
  3f130f5434b8e3f910ed4728752d0d90
- SHA1
  
  25451b8025d529012b81e38493c42c682337b148
- SHA256
  
  c3d4c0d6d8bdb25a0982bb01524aea9383f4c2cfbfebdbca2982594f6d675032
- SHA512
  
  63eceae915c2c7a69c2c8238d55fc595e01971ba207d7a853617cd75040bb6542228a73cd0946174bdd380f541a072efb1d01ae674182155f76cb98672330e75
- SSDEEP
  
  12288:YkHpR0q8/RBgTmBbbFHOyml6bmqNjIabY1IY6QcBo:Nqp4xqd3o
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Detect Xworm Payload

Xworm

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2