xworm | 0f4691e7c8b5f9bbd913c207f7d57f3b514e6adee47b32d57ebe0665632a8aac | Triage

Submit
Reports

Overview

overview

Static

static

MasonClient.exe

windows7-x64

MasonClient.exe

windows10-2004-x64

Sharing

General

Target

MasonClient.exe
Size

51KB
Sample

250308-jl83esttbv
MD5

98b0077862a1b5e9cfb7257a96abfbf2
SHA1

c608b9257f5eb5c547875a38b27567ff1fd3fe44
SHA256

0f4691e7c8b5f9bbd913c207f7d57f3b514e6adee47b32d57ebe0665632a8aac
SHA512

0f80ea3b6e04af7dc96f085b318a0b8736dfc72a7d8ac73d86a31023f895be9c3e4cbbef00da507494c3e19a7c376661ed0b91cbf11aef5e1590e3b6c271a846
SSDEEP

1536:IUIPbL8Z6az90D7h47T7baurM+/MbOTuL:IUIPHA6az903y7fbae/MbOiL

Score

10^/10

xworm discovery execution rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

MasonClient.exe

Resource

win7-20240903-en

xworm execution rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

MasonClient.exe

Resource

win10v2004-20250217-en

xworm discovery execution rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Targets

- Target
  
  MasonClient.exe
- Size
  
  51KB
- MD5
  
  98b0077862a1b5e9cfb7257a96abfbf2
- SHA1
  
  c608b9257f5eb5c547875a38b27567ff1fd3fe44
- SHA256
  
  0f4691e7c8b5f9bbd913c207f7d57f3b514e6adee47b32d57ebe0665632a8aac
- SHA512
  
  0f80ea3b6e04af7dc96f085b318a0b8736dfc72a7d8ac73d86a31023f895be9c3e4cbbef00da507494c3e19a7c376661ed0b91cbf11aef5e1590e3b6c271a846
- SSDEEP
  
  1536:IUIPbL8Z6az90D7h47T7baurM+/MbOTuL:IUIPHA6az903y7fbae/MbOiL
Score

10^/10

xworm execution rat trojan discovery
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormdiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy