xworm | 2b0fa86f46148d25d365085a021a9b836e34275955ca0446723553bbcf388ac0 | Triage

Submit
Reports

Overview

overview

Static

static

1

RedwareTemp.bat

windows7-x64

8

RedwareTemp.bat

windows10-2004-x64

Sharing

General

Target

RedwareTemp.bat
Size

548KB
Sample

250308-agtbqszmt3
MD5

73c36e7e75e989f8b1e5dd4e9a1b493d
SHA1

af5bf582a6d1b424355f8af579b8f202fbe4b834
SHA256

2b0fa86f46148d25d365085a021a9b836e34275955ca0446723553bbcf388ac0
SHA512

5c95fcfb41ca505ca2a9d7d0f11d4e57831bfabd5e1c741c6bf26b0b2a89e36524cca53e6eff3ad7ccac14c0030ab0fc76581275ee8acfe0304be216a6e6ec44
SSDEEP

12288:FTiR+PqY3LWerg7f9AqvSU84kI3Hu+MoovimheIBVXMTT:RhAfcidQ6mEy8P

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

RedwareTemp.bat

Resource

win7-20240903-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

RedwareTemp.bat

Resource

win10v2004-20250217-en

xworm execution persistence rat trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Targets

- Target
  
  RedwareTemp.bat
- Size
  
  548KB
- MD5
  
  73c36e7e75e989f8b1e5dd4e9a1b493d
- SHA1
  
  af5bf582a6d1b424355f8af579b8f202fbe4b834
- SHA256
  
  2b0fa86f46148d25d365085a021a9b836e34275955ca0446723553bbcf388ac0
- SHA512
  
  5c95fcfb41ca505ca2a9d7d0f11d4e57831bfabd5e1c741c6bf26b0b2a89e36524cca53e6eff3ad7ccac14c0030ab0fc76581275ee8acfe0304be216a6e6ec44
- SSDEEP
  
  12288:FTiR+PqY3LWerg7f9AqvSU84kI3Hu+MoovimheIBVXMTT:RhAfcidQ6mEy8P
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy