xworm | c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390 | Triage

Submit
Reports

Overview

overview

Static

static

15415145.exe

windows10-ltsc 2021-x64

15415145.exe

windows11-21h2-x64

Resubmissions

06/03/2025, 15:32

250306-syztyssmz2 10

06/03/2025, 15:00

250306-sdfwca1r18 10

Sharing

General

Target

15415145.exe
Size

59KB
Sample

250306-syztyssmz2
MD5

6c091ad6fae0fa76f44870d1a1b05cb4
SHA1

040f60c0ee3f4902f919025057e34ab4d11b1abd
SHA256

c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
SHA512

3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
SSDEEP

1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7

Score

10^/10

xworm persistence ransomware rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

15415145.exe

Resource

win10ltsc2021-20250218-en

xworm persistence ransomware rat trojan

windows10-ltsc 2021-x64

27 signatures

900 seconds

Behavioral task

behavioral2

Sample

15415145.exe

Resource

win11-20250217-en

xworm persistence rat trojan

windows11-21h2-x64

14 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

known-savage.gl.at.ply.gg:45116

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  15415145.exe
- Size
  
  59KB
- MD5
  
  6c091ad6fae0fa76f44870d1a1b05cb4
- SHA1
  
  040f60c0ee3f4902f919025057e34ab4d11b1abd
- SHA256
  
  c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
- SHA512
  
  3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
- SSDEEP
  
  1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7
Score

10^/10

xworm persistence ransomware rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormpersistenceransomwarerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2025

Terms | Privacy