xworm | fc6447a6f4407fe43119c51d7c070a23c2b21f3bd1ed80d45245a49aa8e2fa3b | Triage

Sharing

General

Target

FUD.vbs
Size

97KB
Sample

250307-zw13kaxjs4
MD5

457f2d4041d1873ebb7c33d0ccd41469
SHA1

b70963db9423a72ae7a0e7b25ab48510c27af6c0
SHA256

fc6447a6f4407fe43119c51d7c070a23c2b21f3bd1ed80d45245a49aa8e2fa3b
SHA512

6e623f91e07ce6ecb50581cd8d45c67a7d37f2a77ebe2d1b208722ea12de595dfcea75c1946d37b8f430978beb2227d074857f0b1749daba562ecac0baae65ec
SSDEEP

1536:p6GSeymei7zi/ABajxVOS2DAcsPteLg0xHEe+4ho7xnxPgGlyNowKBjh:p6GKmV7zqAB852DActMne+UIDzwNotB1

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Userprofile%
install_file
injector.exe
pastebin_url
https://pastebin.com/raw/DSFaHH8B

Targets

- Target
  
  FUD.vbs
- Size
  
  97KB
- MD5
  
  457f2d4041d1873ebb7c33d0ccd41469
- SHA1
  
  b70963db9423a72ae7a0e7b25ab48510c27af6c0
- SHA256
  
  fc6447a6f4407fe43119c51d7c070a23c2b21f3bd1ed80d45245a49aa8e2fa3b
- SHA512
  
  6e623f91e07ce6ecb50581cd8d45c67a7d37f2a77ebe2d1b208722ea12de595dfcea75c1946d37b8f430978beb2227d074857f0b1749daba562ecac0baae65ec
- SSDEEP
  
  1536:p6GSeymei7zi/ABajxVOS2DAcsPteLg0xHEe+4ho7xnxPgGlyNowKBjh:p6GKmV7zqAB852DActMne+UIDzwNotB1
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan