xworm | 7beff8e3153ee395fec616046f0c39dff785a6b5a0762a8639756925c6aec5ab | Triage

Sharing

General

Target

CleanCloner.exe
Size

16.3MB
Sample

250309-lbmsjsztcv
MD5

e6ee0a54c4e9351983193e5944b66344
SHA1

e182fce1c3e548d69a15d16edacfce95f1e33ae9
SHA256

7beff8e3153ee395fec616046f0c39dff785a6b5a0762a8639756925c6aec5ab
SHA512

4a8c99b1c00957771f64b01d73daebd5e0d61d5bd786d5141ef39e08bb40e35dfa2f525e970c98085d1ae0f5a66645f6e78ab02e75299ebef60a486fba8700b9
SSDEEP

393216:vmer0QDwxpUTLfhJD1+TtIiFoY9Z8D8CclGm3rcrzTjtFCYhuLxkK:v9E7UTLJF1QtI3a8DZc0IraUSK

Score

10^/10

xworm execution pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

meowycatty.ddns.net:8843

Mutex

0E4VwJ2aWKHLu9kc

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  CleanCloner.exe
- Size
  
  16.3MB
- MD5
  
  e6ee0a54c4e9351983193e5944b66344
- SHA1
  
  e182fce1c3e548d69a15d16edacfce95f1e33ae9
- SHA256
  
  7beff8e3153ee395fec616046f0c39dff785a6b5a0762a8639756925c6aec5ab
- SHA512
  
  4a8c99b1c00957771f64b01d73daebd5e0d61d5bd786d5141ef39e08bb40e35dfa2f525e970c98085d1ae0f5a66645f6e78ab02e75299ebef60a486fba8700b9
- SSDEEP
  
  393216:vmer0QDwxpUTLfhJD1+TtIiFoY9Z8D8CclGm3rcrzTjtFCYhuLxkK:v9E7UTLJF1QtI3a8DZc0IraUSK
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
behavioral1
- Target
  
  clean.pyc
- Size
  
  17KB
- MD5
  
  893a62c02c92c9cb4e8c78a90864991c
- SHA1
  
  80874745bc93558c631ef529e27e33073178fc07
- SHA256
  
  ccc0b43b6b1f158587a4300500227528e96d1986a5306567d8c4a0a4574aaf76
- SHA512
  
  8aa3ac336078f4f034911440e3226d54ba0eb7329a57f7b8a44e0eff43215e94815a0db2b172bef8ec94379f6029e22c8bee8b456efddf53b2b8f10247d5f629
- SSDEEP
  
  192:Z+UE0rURjemlylYrZA8cHTcAQiUaXpwTkXHE+9sG9IGGEA7c4:ZpE09mlylYrlcHeXaXp6o77CPE8
Score

3^/10
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2