xworm | e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

sigam.bat

windows7-x64

8

sigam.bat

windows10-2004-x64

Sharing

General

Target

sigam.bat
Size

305KB
Sample

250308-ywn8bs1zbv
MD5

fc8cfb6ec385f5fb6562cd9743b6e779
SHA1

f8a2ad10335e6980e454890fe87fc05e0c7e8eff
SHA256

e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac
SHA512

204157ffe9d000a861d34bf72578485c10ffa507a4aeae9921fb87939782beadfc106e64511ba43b9ca1a0789d9e951626d515ac1f46567f2e27f5115e2b4d31
SSDEEP

6144:FKUweZmklFrB429lxBm0yX+EDNmHiBqNrTHR2XuGHSlGvUVPm8fCk:4URvrBDG0n6NEiBg2XlHS4vUVPJ

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

sigam.bat

Resource

win7-20250207-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

sigam.bat

Resource

win10v2004-20250217-en

xworm execution rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

if-eventually.gl.at.ply.gg:17094

Attributes

Install_directory
%Temp%
install_file
Sigam.exe

Targets

- Target
  
  sigam.bat
- Size
  
  305KB
- MD5
  
  fc8cfb6ec385f5fb6562cd9743b6e779
- SHA1
  
  f8a2ad10335e6980e454890fe87fc05e0c7e8eff
- SHA256
  
  e23da97c5d776707b4046939c55bbce60d51f81ee44d85932c5a0495e29edaac
- SHA512
  
  204157ffe9d000a861d34bf72578485c10ffa507a4aeae9921fb87939782beadfc106e64511ba43b9ca1a0789d9e951626d515ac1f46567f2e27f5115e2b4d31
- SSDEEP
  
  6144:FKUweZmklFrB429lxBm0yX+EDNmHiBqNrTHR2XuGHSlGvUVPm8fCk:4URvrBDG0n6NEiBg2XlHS4vUVPJ
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy