xworm | a17b8909af1d89e96eb19201c06ed6d8a04489b965f1456b8307f5d7a31ed43b | Triage

Sharing

General

Target

PcncisxOpEPwd04.exe
Size

1.8MB
Sample

250308-m9q4aswlx4
MD5

cc4fa8e0f981df1ae51a97bf99119152
SHA1

ec0eeed8c459332c51564471d3f3888bb31c37ea
SHA256

a17b8909af1d89e96eb19201c06ed6d8a04489b965f1456b8307f5d7a31ed43b
SHA512

70a9eae974ddc108ece7bd30b35a94656033052da9f3d58d5524966f27068720f17210ac57ee848820b9ef1b60e91aa8eda59a570b7d6e68a6ad2479c78f60c9
SSDEEP

49152:+Om3XJnTAo+00ut5gUhIcwxLJPXVN1nZvjxdFntHrpHPJJ5V79DbPJLFZHxnpHNB:+OyBAB00nWg

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:35248

mounsir24-31804.portmap.host:35248

major-europe.gl.at.ply.gg:35248

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  PcncisxOpEPwd04.exe
- Size
  
  1.8MB
- MD5
  
  cc4fa8e0f981df1ae51a97bf99119152
- SHA1
  
  ec0eeed8c459332c51564471d3f3888bb31c37ea
- SHA256
  
  a17b8909af1d89e96eb19201c06ed6d8a04489b965f1456b8307f5d7a31ed43b
- SHA512
  
  70a9eae974ddc108ece7bd30b35a94656033052da9f3d58d5524966f27068720f17210ac57ee848820b9ef1b60e91aa8eda59a570b7d6e68a6ad2479c78f60c9
- SSDEEP
  
  49152:+Om3XJnTAo+00ut5gUhIcwxLJPXVN1nZvjxdFntHrpHPJJ5V79DbPJLFZHxnpHNB:+OyBAB00nWg
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

behavioral2

xwormdiscoveryexecutionpersistencerattrojan