xworm | dcce0f8781c9219e86bfed54d4dfb660b6ac1abb5fe6d8c4d3d25be89bad934c | Triage

Submit
Reports

Overview

overview

Static

static

3

Xeno.exe

windows10-2004-x64

Sharing

General

Target

Xeno.exe
Size

8.7MB
Sample

250328-yz8q5s1scx
MD5

cd51ccf18822405053a6a1f0bd06c53d
SHA1

1668374896513b13220389a78a9b7f285639b45b
SHA256

dcce0f8781c9219e86bfed54d4dfb660b6ac1abb5fe6d8c4d3d25be89bad934c
SHA512

97e267f5456fe6ba6f49fe695b4f4cd4aaf5fa6cd48eee2da0dd37fc7e5c0b85da4e3a323ca56545f55706cbd9936a6c12f5b4ee0f004e578005bdd01ad34ef8
SSDEEP

196608:p2j2QI6dXnan2wDwblij7rMpHS3Q0GLsGoxiSkOUFmuMl:pQ2QI6OYMIpLVLZXO/Hl

Score

10^/10

xworm discovery execution rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Xeno.exe

Resource

win10v2004-20250314-en

xworm discovery execution rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

distance-av.gl.at.ply.gg:18726

distance-av.gl.at.ply.gg:18726:18726

Mutex

mQAkhgM0nYwqoekP

Attributes

Install_directory
%AppData%
install_file
Xeno.exe

aes.plain

Targets

- Target
  
  Xeno.exe
- Size
  
  8.7MB
- MD5
  
  cd51ccf18822405053a6a1f0bd06c53d
- SHA1
  
  1668374896513b13220389a78a9b7f285639b45b
- SHA256
  
  dcce0f8781c9219e86bfed54d4dfb660b6ac1abb5fe6d8c4d3d25be89bad934c
- SHA512
  
  97e267f5456fe6ba6f49fe695b4f4cd4aaf5fa6cd48eee2da0dd37fc7e5c0b85da4e3a323ca56545f55706cbd9936a6c12f5b4ee0f004e578005bdd01ad34ef8
- SSDEEP
  
  196608:p2j2QI6dXnan2wDwblij7rMpHS3Q0GLsGoxiSkOUFmuMl:pQ2QI6OYMIpLVLZXO/Hl
Score

10^/10

xworm discovery execution rat trojan upx
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionrattrojanupx

© 2018-2025

Terms | Privacy