xworm | 8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653 | Triage

Submit
Reports

Overview

overview

Static

static

3

XWormLoader5.2.exe

windows7-x64

XWormLoader5.2.exe

windows10-2004-x64

Sharing

General

Target

XWormLoader5.2.exe
Size

328KB
Sample

240630-lem8gswang
MD5

7b421f9a8cbcf57135dfaaa03e138f83
SHA1

f7f9eaa8ac991cfba88cea00fa273e2b173ed785
SHA256

8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
SHA512

6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
SSDEEP

6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

XWormLoader5.2.exe

Resource

win7-20231129-en

xworm execution persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

XWormLoader5.2.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

promptylol-44968.portmap.io:44968

Attributes

Install_directory
%LocalAppData%
install_file
dllhost.exe

Targets

- Target
  
  XWormLoader5.2.exe
- Size
  
  328KB
- MD5
  
  7b421f9a8cbcf57135dfaaa03e138f83
- SHA1
  
  f7f9eaa8ac991cfba88cea00fa273e2b173ed785
- SHA256
  
  8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
- SHA512
  
  6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
- SSDEEP
  
  6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy