xworm | e7551b81392e6e047d087d496b8a26443cb83074a1f93a448e207bdc81d0487a | Triage

Submit
Reports

Overview

overview

Static

static

1

xplor.bat

windows10-1703-x64

8

xplor.bat

windows11-21h2-x64

Sharing

General

Target

xplor.bat
Size

67KB
Sample

240630-dmzmgsshnd
MD5

e73ebec54986581fbbd93963e1fbf6b1
SHA1

2981273cb4df5c03e997f25ca217a1368e9e0635
SHA256

e7551b81392e6e047d087d496b8a26443cb83074a1f93a448e207bdc81d0487a
SHA512

b1a1bc06b9ca737d4b3feb78d7e97e42ede7b8df81e48bab0354419bd65a143438154e6e68a2d8a061a21ecc4d41e6fc7730699b822d2c9dc646198f1158801b
SSDEEP

48:+HEIFOhNg8Mh0vULQyDzPMdFijnH6HCRYglCtiJOTOTOTOTOTOTOTOTOTOTOTOTt:+HEIFOhS8S0OQyZrH6viyKCCFX

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

xplor.bat

Resource

win10-20240611-en

windows10-1703-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

xplor.bat

Resource

win11-20240611-en

xworm execution persistence rat trojan

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:46625

Attributes

Install_directory
%AppData%
install_file
Teams.exe
telegram
https://api.telegram.org/bot7251026627:AAFe7iqGz4Cd2IluTlmdghq0XQUzAYL6FpY

Targets

- Target
  
  xplor.bat
- Size
  
  67KB
- MD5
  
  e73ebec54986581fbbd93963e1fbf6b1
- SHA1
  
  2981273cb4df5c03e997f25ca217a1368e9e0635
- SHA256
  
  e7551b81392e6e047d087d496b8a26443cb83074a1f93a448e207bdc81d0487a
- SHA512
  
  b1a1bc06b9ca737d4b3feb78d7e97e42ede7b8df81e48bab0354419bd65a143438154e6e68a2d8a061a21ecc4d41e6fc7730699b822d2c9dc646198f1158801b
- SSDEEP
  
  48:+HEIFOhNg8Mh0vULQyDzPMdFijnH6HCRYglCtiJOTOTOTOTOTOTOTOTOTOTOTOTt:+HEIFOhS8S0OQyZrH6viyKCCFX
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy