xworm | f352579ae0f0f115437690d14b911aee168574c8bc061c475b9c83bb065932a1 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

67KB
Sample

240630-3frqqssdkq
MD5

12c7786f3f9f87fc04fd3562d957a57a
SHA1

e4df265d2a5678e8620c6633a898647ac41514da
SHA256

f352579ae0f0f115437690d14b911aee168574c8bc061c475b9c83bb065932a1
SHA512

a43be5f5626c33211741f95f578666b4b3a40514bdd3726f5ca564fdba968a4b9f059e230cdd9625ade48ede2daeecfbd83f739bf21c3e74489210a16d094c08
SSDEEP

1536:Zc6GeeDwRMepnZ8k2fbRE+ptxb7Ed4pXD/6M/qOSYGLZ:60einZ8LDRE+ptxbw2zRyOSYuZ

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

147.185.221.19:33365:2137

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  XClient.exe
- Size
  
  67KB
- MD5
  
  12c7786f3f9f87fc04fd3562d957a57a
- SHA1
  
  e4df265d2a5678e8620c6633a898647ac41514da
- SHA256
  
  f352579ae0f0f115437690d14b911aee168574c8bc061c475b9c83bb065932a1
- SHA512
  
  a43be5f5626c33211741f95f578666b4b3a40514bdd3726f5ca564fdba968a4b9f059e230cdd9625ade48ede2daeecfbd83f739bf21c3e74489210a16d094c08
- SSDEEP
  
  1536:Zc6GeeDwRMepnZ8k2fbRE+ptxb7Ed4pXD/6M/qOSYGLZ:60einZ8LDRE+ptxbw2zRyOSYuZ
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy