xworm | 39497d1f152da58a2c2d8970b05f795b05a6607c50a86c058d418985ed4a264e | Triage

Submit
Reports

Overview

overview

Static

static

sesh.exe

windows10-2004-x64

Sharing

General

Target

sesh.exe
Size

85KB
Sample

240629-3b38zaygmg
MD5

eb2fdf65f05738084eafbffafd050f96
SHA1

94b744a2552451b2b5dcadce71a31b9826ecba96
SHA256

39497d1f152da58a2c2d8970b05f795b05a6607c50a86c058d418985ed4a264e
SHA512

7bf9ab33f7b5e4fde676a6ab27a9aff918bfefc8f5defd3442c03cdf59c4d61a7af9103e877643f92839fb42316c5319b5972bc7317b51354162a1f4b53eb157
SSDEEP

1536:KT1xavSIvbf6DC2BY3cebMXC9GjBVUF06ppMQvO+1DkdQr:CVIzaBYMebMaGla5pVvOuDVr

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

sesh.exe

Resource

win10v2004-20240611-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:33823

Azuu-57677.portmap.io:33823

remember-sail.gl.at.ply.gg::33823

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Targets

- Target
  
  sesh.exe
- Size
  
  85KB
- MD5
  
  eb2fdf65f05738084eafbffafd050f96
- SHA1
  
  94b744a2552451b2b5dcadce71a31b9826ecba96
- SHA256
  
  39497d1f152da58a2c2d8970b05f795b05a6607c50a86c058d418985ed4a264e
- SHA512
  
  7bf9ab33f7b5e4fde676a6ab27a9aff918bfefc8f5defd3442c03cdf59c4d61a7af9103e877643f92839fb42316c5319b5972bc7317b51354162a1f4b53eb157
- SSDEEP
  
  1536:KT1xavSIvbf6DC2BY3cebMXC9GjBVUF06ppMQvO+1DkdQr:CVIzaBYMebMaGla5pVvOuDVr
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy