xworm | 59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a | Triage

Submit
Reports

Overview

overview

Static

static

3

Output.exe

windows7-x64

8

Output.exe

windows10-2004-x64

Sharing

General

Target

Output.exe
Size

127KB
Sample

250307-vtkkkstrw8
MD5

c5a8c92a6eae175507942fcdb7b6f4d7
SHA1

b75512ae6d1da96e091a657deb49f6047e696bb4
SHA256

59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a
SHA512

0796a4886d9e0f078f9a6a1e324cdfbbbfde1a991e2c2be4d764db12980f8b4b6ca743d707a1561587df4dc9d78fb71bf17cb21d3e886e1ccee28a913c44f592
SSDEEP

3072:e274NpVq8BxFRzaqF+o2GQJ7/JzqVfGv2:eegVqwlL

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Output.exe

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

Output.exe

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

show-commentary.gl.at.ply.gg:19243

Mutex

TJBpUvAwYAstsP7U

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Output.exe
- Size
  
  127KB
- MD5
  
  c5a8c92a6eae175507942fcdb7b6f4d7
- SHA1
  
  b75512ae6d1da96e091a657deb49f6047e696bb4
- SHA256
  
  59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a
- SHA512
  
  0796a4886d9e0f078f9a6a1e324cdfbbbfde1a991e2c2be4d764db12980f8b4b6ca743d707a1561587df4dc9d78fb71bf17cb21d3e886e1ccee28a913c44f592
- SSDEEP
  
  3072:e274NpVq8BxFRzaqF+o2GQJ7/JzqVfGv2:eegVqwlL
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy