xworm | 9365fa153dd60ba9703ea92cd37e0c737c5f222012644f6acb0892c558113451 | Triage

Sharing

General

Target

upO Builder 0.9.7.exe
Size

3.5MB
Sample

250306-vqej6atsft
MD5

c7789a0f8d83e744a84b0b4be0be7158
SHA1

c8ffb47663650341146810daf5ebbc29018b3e1d
SHA256

9365fa153dd60ba9703ea92cd37e0c737c5f222012644f6acb0892c558113451
SHA512

711c59377faad994c4696d16e2718578f82673b2baac9d6d7022a5f37c81bfff71e812e8f5d574bfbfaf748b73d794faccc885d036dea751ea52e108e3dfea7a
SSDEEP

98304:weaJXwmAk5dop8nuxgHe2eBu7jqhbq2OkVV9icA:WAk5dop8nuO1r7jq9nTFip

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Targets

- Target
  
  upO Builder 0.9.7.exe
- Size
  
  3.5MB
- MD5
  
  c7789a0f8d83e744a84b0b4be0be7158
- SHA1
  
  c8ffb47663650341146810daf5ebbc29018b3e1d
- SHA256
  
  9365fa153dd60ba9703ea92cd37e0c737c5f222012644f6acb0892c558113451
- SHA512
  
  711c59377faad994c4696d16e2718578f82673b2baac9d6d7022a5f37c81bfff71e812e8f5d574bfbfaf748b73d794faccc885d036dea751ea52e108e3dfea7a
- SSDEEP
  
  98304:weaJXwmAk5dop8nuxgHe2eBu7jqhbq2OkVV9icA:WAk5dop8nuO1r7jq9nTFip
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan