xworm | 8f91cb9e705bebe84ceefa2ea5d38d96ac2931d53e0b26b2fec13277a6d8e9bc | Triage

Sharing

General

Target

SWAT.exe
Size

13.6MB
Sample

250307-sq6yasssg1
MD5

96ee42a2e614609841880141fc3b1b3b
SHA1

1d0bfeabfcbe823bcb32a39b3fe10f7222c44224
SHA256

8f91cb9e705bebe84ceefa2ea5d38d96ac2931d53e0b26b2fec13277a6d8e9bc
SHA512

fde72f7ed57dbf3b6983c4640c2a38d65820d33537464f89c86084397d932e952ef6fff3952a88c15e348825e10a969f6d5a2e7741060ea445634fffd4ca9aa5
SSDEEP

393216:CvLr0Qv5xpUTLfhJe1+TtIiFvY9Z8D8CclG53x4qIhixkK:Ctv57UTLJE1QtI6a8DZc0xAxK

Score

10^/10

xworm execution pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

meowycatty.ddns.net:8843

Mutex

0E4VwJ2aWKHLu9kc

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  SWAT.exe
- Size
  
  13.6MB
- MD5
  
  96ee42a2e614609841880141fc3b1b3b
- SHA1
  
  1d0bfeabfcbe823bcb32a39b3fe10f7222c44224
- SHA256
  
  8f91cb9e705bebe84ceefa2ea5d38d96ac2931d53e0b26b2fec13277a6d8e9bc
- SHA512
  
  fde72f7ed57dbf3b6983c4640c2a38d65820d33537464f89c86084397d932e952ef6fff3952a88c15e348825e10a969f6d5a2e7741060ea445634fffd4ca9aa5
- SSDEEP
  
  393216:CvLr0Qv5xpUTLfhJe1+TtIiFvY9Z8D8CclG53x4qIhixkK:Ctv57UTLJE1QtI6a8DZc0xAxK
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan