xworm | 3e29a57bde610ff61c422796b89fc4332f265cc50e966593fc2b00bb23a13a21 | Triage

Submit
Reports

Overview

overview

Static

static

3

SystemSettings.exe

windows7-x64

SystemSettings.exe

windows10-2004-x64

Sharing

General

Target

SystemSettings.rar
Size

130KB
Sample

250306-sgl7ja1vgt
MD5

cfd1e38ba89d12c7dcb31f7fcc688064
SHA1

2d3ee0fa93877e850e625ed3e5f18d3dea70e167
SHA256

3e29a57bde610ff61c422796b89fc4332f265cc50e966593fc2b00bb23a13a21
SHA512

326ac74f3a27163d591193e323bb84e1ae10bd22ea2fe323c414265e66c5a720f271b8f4de8039989920aeb5937c5b1fdba03d0328427ef94bfee41101064c7f
SSDEEP

3072:nrURbAWbGvrMy06g8CdSgtapOYkJGJE+/7thDG/3yWitioCwnk:ObAW1yB7mSgtaEuEyhJlk

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SystemSettings.exe

Resource

win7-20240903-en

xworm execution rat trojan

windows7-x64

13 signatures

900 seconds

Behavioral task

behavioral2

Sample

SystemSettings.exe

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

18 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uoqo0jDHykn623lG

Attributes

Install_directory
%Public%
install_file
SystemSettings.exe
pastebin_url
https://pastebin.com/raw/4zaiEtZS
telegram
https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Targets

- Target
  
  SystemSettings.exe
- Size
  
  332KB
- MD5
  
  701a94f53d54d38a11f4e60bc4f95b18
- SHA1
  
  7413f5e4fc73eaf07d9d6cd67fc88fd40b70d9d0
- SHA256
  
  9233d5872258aa674b015b57a4f37ca43a22524a682382cd88969cef135dacdb
- SHA512
  
  4d63f155adbc5271fc82a263c4df29566ffbabb512ad2a7c73736969b29760bc0ae86e58f396907b8afa8791e8a8b042c895f94126a00da8c0b050e7ef343440
- SSDEEP
  
  6144:6qXq7egSKNNO3BLZsgd8+f0Pn95maRWFjt:6qapSKNNOpZsgdQbmamjt
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy