Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-ltsc_2021-x64

10

Resubmissions

15/04/2025, 19:56

250415-ynn8cszpz8 10

15/04/2025, 19:53

250415-yl5sbswwg1 4

15/04/2025, 19:21

250415-x23r8swvet 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/download/532ccea42fbb9cbeec1ae220a6ccce867ab2fecf064e5177b7f4ec570d3304bc/

  • Sample

    250415-x23r8swvet

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://92.255.85.2/rc.mp4

Extracted

Family

xworm

Version

5.0

C2

maxbusinessworld.duckdns.org:3977

92.255.85.66:7000
Mutex

JmMnKKmFTwKVivmS

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

xworm

Version

3.1

C2

support-available.gl.at.ply.gg:3137

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://92.255.85.2/pixel.exe
exe.dropper

http://92.255.85.2/pixel.exe

Targets

    • Target

      https://bazaar.abuse.ch/download/532ccea42fbb9cbeec1ae220a6ccce867ab2fecf064e5177b7f4ec570d3304bc/

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks