xworm | 79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec | Triage

Sharing

General

Target

run.ps1
Size

50B
Sample

250308-2rsazatvbw
MD5

a842bb38fa14cb90a9a3169e0da00d0e
SHA1

d8541bd2cfb386294b24c4c4e68eba269cbffcd9
SHA256

79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec
SHA512

a068a2d4945f38fdd4165089679593b60bc594bb993c0c61f3c08b6b9496f695d847f7f970793a46eaf33ffe80fd93cc3dbee889f471368b6c8bac36a0df9048

Score

10^/10

xworm defense_evasion execution rat trojan

Malware Config

Extracted

Family

xworm

C2

running-boating.gl.at.ply.gg:49261

Mutex

nTuejMBVrsDVuX5I

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  run.ps1
- Size
  
  50B
- MD5
  
  a842bb38fa14cb90a9a3169e0da00d0e
- SHA1
  
  d8541bd2cfb386294b24c4c4e68eba269cbffcd9
- SHA256
  
  79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec
- SHA512
  
  a068a2d4945f38fdd4165089679593b60bc594bb993c0c61f3c08b6b9496f695d847f7f970793a46eaf33ffe80fd93cc3dbee889f471368b6c8bac36a0df9048
Score

10^/10

execution xworm defense_evasion rat trojan
- Detect Xworm Payload
- UAC bypass
  defense_evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormdefense_evasionexecutionrattrojan