xworm

Sharing

Copy URL

Twitter E-mail

General

Target

antinashook.zip
Size

9.9MB
Sample

250307-3r38xazlt8
MD5

f1ad64a42933a7fa7c9b090c1894787a
SHA1

475377ee153f738d1bdbe24d560d958ee62c2e18
SHA256

150ac1fb1dfc122655f683b3ec40e672d815c03699fb68a69917eb7b8ae8373d
SHA512

b6b263491a3234a8217dc3203d40dc1bea3518167515f2b4c8bbd3b06e9544b517a6749ed4da6818fc6f27ec9d4468f2699f56c981942ca8dd4f47648b45d266
SSDEEP

196608:QG01oGGyvdaOU/dzrBC/O6Z+vGkYQJppqj/cD+YhS/W162nuOn4PEoWFARRO:QtZ1aOU/pU/O6Z+Ok7JTqbshSOIO3FA6

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/1vj9gviK

Targets

- Target
  
  antinashook/WinRes32.exe
- Size
  
  952KB
- MD5
  
  0c7e5b83652dabf3503bf0001b329afa
- SHA1
  
  b27452eb81f2e1b2958e3a9980fe35807f01f248
- SHA256
  
  d2d26cfeffede48bad16333b3fb1098f2c713598c2eaf37f9894069fecdce2fe
- SHA512
  
  5fe40e55382ff33642d55e738106d4e8fd78d6ee9129cb693d9c6c3025cdc30d855dba09bf4f3f932ba0e483d0e18a9eb079f357ce5c60399b54c19382007854
- SSDEEP
  
  24576:g1Way//sMrF9Q0LDnjH+eQIn1J/bYbV2u6MxgndIXhagbA0Q:uyHsMrF9Q0vCeQIvTYbwu6HndIXYgbT
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  discord_voice/discord_voice.node
- Size
  
  17.7MB
- MD5
  
  9cb74dcf8f96968411f245f9f3b8beeb
- SHA1
  
  d80fb899289b2bb26f9bf90058e75466f6d60ec2
- SHA256
  
  de57dfa61b31808dae1599cd8773df037d2ccb275ca0d6c3a7827bd240ae061a
- SHA512
  
  b8e8f5b3012dee36655a1d41d54a7a849d7b677a6afdf577395da07139ed807931af2cdf950271e2e3e001fc0114fe7319493cdb5e08db41519bf2e4a36f7cb2
- SSDEEP
  
  98304:U9bwSfQss8/X1r8azoFMZNLL8P08Y/LPL8hPx1SJ+WqM2//1XB87pOodKLsHeb2N:5nFM+APL8hJ151bMl+CF
Score

1^/10
behavioral3 behavioral4
- Target
  
  discord_voice/gpu_encoder_helper.exe
- Size
  
  790KB
- MD5
  
  58628d3c0c28dc5cf364126a17a07f00
- SHA1
  
  a1db97dd891abea76dcdfac37a2f731639756c84
- SHA256
  
  79196f94e1de683bdd6a8783fefb09ce091d062687a72fc3d1f004196de4ec22
- SHA512
  
  0f532cc354efcbd3e6d89d3e0f29ad9f681bb8e35717748138c6b132c5d36d074d241b9fe60faa3008aedafe09f30e79b7890b8d67a2f4889ea0fa26d6c86c96
- SSDEEP
  
  12288:fzrN8b/QFQo/e1Lm17TOsiIMyy3GJ6u/DYU:LrN88P/etm1vHDx6GJ6WDYU
Score

1^/10
behavioral5 behavioral6
- Target
  
  discord_voice/index.js
- Size
  
  21KB
- MD5
  
  b76b9633cf9450ce25d0d29b841a272c
- SHA1
  
  ebe143c7736732a87b7f8b165bc1988cfbba9f3b
- SHA256
  
  985a4aae1bb4acb836a56bc82d3836eb98e9abfbcf408d67cdcd9fd4d34d4c82
- SHA512
  
  e6a440789f4c685e8110559668d9b11b2fa9f996f5c0a217c3c03f80087a8230a0acf5f115c1f05583022e806c04649270b2238615e278fe756efcbd603e2a0b
- SSDEEP
  
  384:GVc91zv6mp2ilx872hEyG3lMjHiv/RZ558elkIAPUk8JliNK44Vl74JGnGoddlUX:qcnvp0ybG3lMjHiv5HKelkIAPUHJliNT
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  discord_voice/mediapipe.dll
- Size
  
  5.9MB
- MD5
  
  dfcfc79f1777433834f594bdbc6c25c1
- SHA1
  
  0764397992250275b0c524a228fb9057c2315ec2
- SHA256
  
  3b44af220ed9258e33811f93655e8b1220c828ae76380c05795447dde508ec25
- SHA512
  
  23d3c8ec3fa9399ca24620f9b90c84486731528481399c10f752396ad8261185f30747da646952542daa08eb58eb4d94dd2a62d2112c5fd1f4725b00f251e793
- SSDEEP
  
  49152:2XgvfPGAH0A1LjUkwJ25HkLyKTnWSdsCECELRvVXkykLoObNf2pAmgbxbLEDwNbg:kOLxfCNCnu4g+iM4PkqfV2e4
Score

1^/10
behavioral10 behavioral9
- Target
  
  discord_voice/openh264-2.2.0-win64.dll
- Size
  
  954KB
- MD5
  
  7ffbf336333754f961bb65aa680c4dbc
- SHA1
  
  430483568eb72a520b72775c38b2caa1cc0343ce
- SHA256
  
  9b392bf05cff1199cc44af236fa672c717f484e79c99d35bf1bed153a423d2d0
- SHA512
  
  0a7ce2c3b05dcbc7be950733a5191387376bb448696f68b76fb09b2f781cb32b2d1d19f0ec9d84ee69243669726c3e88e4d9c427ad41113ee48acee5535bf2e0
- SSDEEP
  
  24576:bCE8T5Za1prFgHg6YVIi2R/xIrlqMVKhNJ724:bCE06SbIrlt+NJV
Score

1^/10
behavioral11 behavioral12
- Target
  
  antinashook/hook.dll
- Size
  
  844KB
- MD5
  
  e26c4fea3d7b3c8fd631b3403af54f6c
- SHA1
  
  ee9f3a80b0d6f87a626488ae0c3f63acdb8cf426
- SHA256
  
  62af1a5367438c9f888b66dcd5465c5a1f4722519cf39abc1e35b636c43932fc
- SHA512
  
  79d57a0bec8cbd1831e57cce54b124a322024547735be330688e524bbcd971641aa50962b14338f0144aeae4def17b399a1f88aecc80eef0c1a17f80a9fb894e
- SSDEEP
  
  12288:Bfi/nYHesZrCRtvCkM/YCdD6E01BR0nqS8FSi5rGbV:9iPY+s5CHvCkMQCtKR0q9FBmV
Score

1^/10
behavioral13 behavioral14