xworm | 7bc75b4fd38a6cdcdf9deb8796f34a908a1d0681352f3738842aba2bb8c81132 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

73KB
Sample

250308-vmljaszwby
MD5

f53c0108cf257163f41415363c03d562
SHA1

881e7d0e3d6049369ee313bc538e932a78b690cd
SHA256

7bc75b4fd38a6cdcdf9deb8796f34a908a1d0681352f3738842aba2bb8c81132
SHA512

8f3cd3be86f46678943b5f12d8d48020d402db4880b54fe0ff0c1bc4e5698e52ae727764f71cb3d2a247a72a5f3ad815120346477a585f93163759b770d4d499
SSDEEP

1536:2zR9VkSMBBXtbEHBbWRn5uIOE6U0QgOMTwZBmW:2CSMBB9bEhbWR5cHOMg0W

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win10v2004-20250217-en

xworm discovery execution persistence rat trojan

windows10-2004-x64

26 signatures

900 seconds

Malware Config

Extracted

Family

xworm

C2

hour-amplifier.gl.at.ply.gg:49054

Attributes

Install_directory
%Temp%
install_file
svhost.exe

Targets

- Target
  
  XClient.exe
- Size
  
  73KB
- MD5
  
  f53c0108cf257163f41415363c03d562
- SHA1
  
  881e7d0e3d6049369ee313bc538e932a78b690cd
- SHA256
  
  7bc75b4fd38a6cdcdf9deb8796f34a908a1d0681352f3738842aba2bb8c81132
- SHA512
  
  8f3cd3be86f46678943b5f12d8d48020d402db4880b54fe0ff0c1bc4e5698e52ae727764f71cb3d2a247a72a5f3ad815120346477a585f93163759b770d4d499
- SSDEEP
  
  1536:2zR9VkSMBBXtbEHBbWRn5uIOE6U0QgOMTwZBmW:2CSMBB9bEhbWR5cHOMg0W
Score

10^/10

xworm discovery execution persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy