metasploit

General

Target

Binaries.rar
Size

1019KB
Sample

250326-r299eswzg1
MD5

9f0a1e5448e276fd9a1868b08261b258
SHA1

bd0e596a0dacba429edc5d06ca23df7a6136682e
SHA256

5d112a86cfba7fc6a1a176b08fb203eb98d103ba95f9edf6adb72c70558f0c96
SHA512

3a81021e2bff42b1e861d791c9f9089853b5d8e44a8b12aa3f2018a6eba55ee3de3f744c75e2021f6570f7712b1dc1589ff1aa52a4804f02f2111dc3de0a2d52
SSDEEP

24576:uc7mwB4VdnJuGYlLS1GmezoXZUnfG4vLjcl7FpOR5wG24q+h:cU4TeVqaoXO+4vv+fORR24q2

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

multi-referral.gl.at.ply.gg:43504

Mutex

L9qlmFNDu8drSdGe

Attributes

Install_directory
%Userprofile%
install_file
SecurityHealthSystray.exe
telegram
https://api.telegram.org/bot7999164804:AAFnlMmOEm_tg1MgP0Rjs4-EAp9cjIouFj4/sendMessage?chat_id=5462166893

aes.plain

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

147.185.221.26:43504

Targets

- Target
  
  Binaries.rar
- Size
  
  1019KB
- MD5
  
  9f0a1e5448e276fd9a1868b08261b258
- SHA1
  
  bd0e596a0dacba429edc5d06ca23df7a6136682e
- SHA256
  
  5d112a86cfba7fc6a1a176b08fb203eb98d103ba95f9edf6adb72c70558f0c96
- SHA512
  
  3a81021e2bff42b1e861d791c9f9089853b5d8e44a8b12aa3f2018a6eba55ee3de3f744c75e2021f6570f7712b1dc1589ff1aa52a4804f02f2111dc3de0a2d52
- SSDEEP
  
  24576:uc7mwB4VdnJuGYlLS1GmezoXZUnfG4vLjcl7FpOR5wG24q+h:cU4TeVqaoXO+4vv+fORR24q2
Score

10^/10

metasploit xworm backdoor rat trojan
- Detect Xworm Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Xworm Payload

Metasploit family

Xworm

Xworm family

Checks computer location settings

Drops startup file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2