xworm

Sharing

Copy URL

Twitter E-mail

General

Target

doc_Rfq_TNTM Új rend TM00002916620 exp_pdf.exe
Size

2.1MB
Sample

240629-htsjzawdmp
MD5

f6a8c9894f707a594a924f4c197f0f2a
SHA1

a6cd353fe512a4f1c6d74064979f4475c574ddd7
SHA256

542ddd41bf8603c95458d6c2c15e1a0cff107fbabac55b69b92bd40fd8bf1696
SHA512

a9e8a3d1705b7f95944a406f7639c07497ae50b9a11b9f77304bcb1d33cda4f3a05c831b47206d153da7c7d9eae22b84e0a17b9aae0ee1f36784acf4b63951b4
SSDEEP

49152:jF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUWeaw1GmNOm/:XroA7PDa

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

twart.myfirewall.org:59012

Mutex

gOdjUs2unoOU0NeI

Attributes

Install_directory
%AppData%
install_file
windows.exe

aes.plain

Targets

- Target
  
  doc_Rfq_TNTM Új rend TM00002916620 exp_pdf.exe
- Size
  
  2.1MB
- MD5
  
  f6a8c9894f707a594a924f4c197f0f2a
- SHA1
  
  a6cd353fe512a4f1c6d74064979f4475c574ddd7
- SHA256
  
  542ddd41bf8603c95458d6c2c15e1a0cff107fbabac55b69b92bd40fd8bf1696
- SHA512
  
  a9e8a3d1705b7f95944a406f7639c07497ae50b9a11b9f77304bcb1d33cda4f3a05c831b47206d153da7c7d9eae22b84e0a17b9aae0ee1f36784acf4b63951b4
- SSDEEP
  
  49152:jF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUWeaw1GmNOm/:XroA7PDa
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2