xworm | 46c5104b98da465b208c05d2ae557194d166b4b149aa3d12a148657bef0eb96b | Triage

Submit
Reports

Overview

overview

Static

static

1

SuryetexOr...df.lnk

windows7-x64

SuryetexOr...df.lnk

windows10-2004-x64

Sharing

General

Target

SuryetexOrder_PO2025306.pdf.lnk
Size

3KB
Sample

250307-tfrw3asyb1
MD5

0bab2699985e9608e29bf856b17d8244
SHA1

2a5236c305599dfeb95477cc230f248597910782
SHA256

46c5104b98da465b208c05d2ae557194d166b4b149aa3d12a148657bef0eb96b
SHA512

3554e19d9ceea894b611e4ed491b1156310097b1ab3644433198913fdb077af321e0b344f76bb1d12687d35a1ad46bbc4c5661701e9153d2d00a25dd0e8487a0

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

SuryetexOrder_PO2025306.pdf.lnk

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

SuryetexOrder_PO2025306.pdf.lnk

Resource

win10v2004-20250217-en

xworm discovery execution rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://87.121.79.103/download/6b4cc14c9c6445989353e73e97374f17.txt

Extracted

Family

xworm

Version

5.0

C2

remnew25.duckdns.org:3984

Mutex

XqNiNJ9BHQEGZDPh

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  SuryetexOrder_PO2025306.pdf.lnk
- Size
  
  3KB
- MD5
  
  0bab2699985e9608e29bf856b17d8244
- SHA1
  
  2a5236c305599dfeb95477cc230f248597910782
- SHA256
  
  46c5104b98da465b208c05d2ae557194d166b4b149aa3d12a148657bef0eb96b
- SHA512
  
  3554e19d9ceea894b611e4ed491b1156310097b1ab3644433198913fdb077af321e0b344f76bb1d12687d35a1ad46bbc4c5661701e9153d2d00a25dd0e8487a0
Score

10^/10

execution xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy