xworm

Sharing

Copy URL

Twitter E-mail

General

Target

Nerestpc.zip
Size

12.3MB
Sample

250328-q8dncsyns4
MD5

084b565ef804fe3a055b14b8a0c21ed1
SHA1

885bba002d1fe3ea73d9ef0f7d7869d14b318004
SHA256

19de00696fc0e0d19e7663498e059be91d2e9754bb4738e6ba9a75967312d6c9
SHA512

b88035c72d3c415854211c89f87a9def9f878ec9089ec97d7a52bad2a3323d36583177fd72dc0e8803f7dfde99d3c4870d3e42b675888b00572831c9268778cf
SSDEEP

196608:RiDrvawoBKuJuPDW4CF46un659rCENnbFN4vG3loN6r/LPNH/otSCnTwGY/:ooBYDWl4pn6TrhnbF9oN6zdrCG/

Score

10^/10

Malware Config

Extracted

Family

xworm

127.0.0.1:62949

pidoras123131-62949.portmap.host:62949

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7812594920:AAF8LiE_BAgLbrCBoONka4W_igE0Wo_lUEg/sendMessage?chat_id=7101392896

Targets

- Target
  
  Nerestpc/Nerestpc.exe
- Size
  
  8.8MB
- MD5
  
  14862f30b225f2890861a5ad97c44237
- SHA1
  
  42d66e64f1f9b67ecd408f9688ad44335cdbef7b
- SHA256
  
  00eca4e6f39ba722102f071024c568862dd18e9669f431033576f62b6d847ca2
- SHA512
  
  71f7359bb27fa7eae54d72c4cf0c32d07d3b0ee59a1fe913b4fa8ef706758e625f7a5eac670eeef167b6899d6e04fa0ae4933b1af2e09ff735526973c0a13d4b
- SSDEEP
  
  196608:GaaKLgaeBMV1x2g5vrPnsvaH7ATG/3lVr99W7SONlmsQa:GangTBMfxXvrPdATGvRLOca
Score

10^/10

xworm discovery rat trojan persistence
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Nerestpc/bin/Adb.dll
- Size
  
  1.3MB
- MD5
  
  8818f197cf07662ecc70ae87d77464dd
- SHA1
  
  9c3dde439297509b67e56cd9568bd0628ec71d17
- SHA256
  
  e8f5a1c3c2f92d861fa868079f80a924be305dd0922a3c023485c9a1291c46fe
- SHA512
  
  f07700c7bf954a0f2617e7b3159355bac1f6530b4fcfe62628135f01be70945c8added3b50cab076cb76c0be4387a5b668f6bdc716073a044fff93afa2d01a26
- SSDEEP
  
  24576:gctQm1HzhITMNr1/xyDP9UfxD9tRtGHaYwAiuIcHNtFpPNJcqO1vB:gctQm1lnNrZYP4xD9ftIaYwazDJ
Score

1^/10
behavioral3
- Target
  
  Nerestpc/bin/AdbWinApi.dll
- Size
  
  105KB
- MD5
  
  73030f38c867f5a7bd6ee331203f3d7a
- SHA1
  
  3e71b43c9b25af29bb4b8f455c176c5e89404567
- SHA256
  
  9ffacedc41b2752075571e1a474ff50c5dcbe1f64db56db24aaec78aea1126df
- SHA512
  
  492988fc89ae61e3af4904c0f593fbc4703293a915901ff98824cdcc77a7ac695faee8e1da56c66e3e2591216234a609841fb2393ce1dd2aeb91014952c6a297
- SSDEEP
  
  1536:2wqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCPP7r3PxUU:2wqD3L8Tezq0et+ui1y6vxr
Score

3^/10

discovery
behavioral4 behavioral5
- Target
  
  Nerestpc/bin/AdbWinUsbApi.dll
- Size
  
  71KB
- MD5
  
  f67d9ec28d19316754d7ecb0e990197d
- SHA1
  
  a82ba3ad1a0749dd91eaac34dced3622d10dba54
- SHA256
  
  13918fdab0c3ac77d077453a6036247cfeca10910aec845f188c41148c630bb2
- SHA512
  
  abd80e386ce282bbb4727c7bd795d7bb0046fecfe65b005c98609f18b341606166187e951a5beacb5112726eab28bf9b75b383cb55ca9d0303b286389fd25022
- SSDEEP
  
  1536:q72doFmOiHizFbPlspcsbj5ZsP+YeTs1pH7tsPxHt:qSSfN9+YeTs1pHJcxN
Score

3^/10

discovery
behavioral6 behavioral7
- Target
  
  Nerestpc/bin/adb.exe
- Size
  
  5.6MB
- MD5
  
  f1f479bba21298e758fc22d8d98f8e48
- SHA1
  
  2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca
- SHA256
  
  705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183
- SHA512
  
  3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f
- SSDEEP
  
  49152:p1bbBWmqcEr5DV0uLC5sakvVgieBn5BzPZjdZYvM+ojzJLF+vW6Daa55pXxNh9Vm:hgV5mkvt6NzZYU+iWz5iXGTailRRQd
Score

3^/10

discovery
behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9