xworm | 212aca6c26f53a9a28f22019f2ce4143daa98db2fdb0c9515f7e6e2fb6822e0e | Triage

Submit
Reports

Overview

overview

Static

static

7

dotNET_Reactor.exe

windows10-2004-x64

Sharing

General

Target

dotNET_Reactor.exe
Size

15.9MB
Sample

240515-artp9aga8v
MD5

b8b690a0a2b61714b7f4a928a513182f
SHA1

63e466c49496a8be6a0f86644b031fd1db880c82
SHA256

212aca6c26f53a9a28f22019f2ce4143daa98db2fdb0c9515f7e6e2fb6822e0e
SHA512

3c1605c6ae9020d2ec13deb891c86eb0d43d0e106c41e969e890b875f706c7f607c03a5ae4236d89fe40c367ad8eb0e4cb78aeb1b9ea6764937708bf4b250463
SSDEEP

393216:4EjFakaECvYN6k0dgW7YMCDNlM7TMLl+BB1f9qTs7:4KWECQt02W7YXKXZBVETs

Score

10^/10

xworm zgrat rat trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

dotNET_Reactor.exe

Resource

win10v2004-20240508-en

xworm zgrat rat trojan vmprotect

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

amazonshipping.duckdns.org:7000

Attributes

Install_directory
%LocalAppData%
install_file
MSBuild.exe

Targets

- Target
  
  dotNET_Reactor.exe
- Size
  
  15.9MB
- MD5
  
  b8b690a0a2b61714b7f4a928a513182f
- SHA1
  
  63e466c49496a8be6a0f86644b031fd1db880c82
- SHA256
  
  212aca6c26f53a9a28f22019f2ce4143daa98db2fdb0c9515f7e6e2fb6822e0e
- SHA512
  
  3c1605c6ae9020d2ec13deb891c86eb0d43d0e106c41e969e890b875f706c7f607c03a5ae4236d89fe40c367ad8eb0e4cb78aeb1b9ea6764937708bf4b250463
- SSDEEP
  
  393216:4EjFakaECvYN6k0dgW7YMCDNlM7TMLl+BB1f9qTs7:4KWECQt02W7YXKXZBVETs
Score

10^/10

xworm zgrat rat trojan vmprotect
- Detect Xworm Payload
- Detect ZGRat V1
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormzgratrattrojanvmprotect

© 2018-2024

Terms | Privacy