xworm | f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd | Triage

Submit
Reports

Overview

overview

Static

static

3

RobloxExecutor.exe

windows11-21h2-x64

Resubmissions

01-07-2024 16:09

240701-tl9n3ascnn 10

01-07-2024 00:42

240701-a2hqqstgjn 10

Sharing

General

Target

RobloxExecutor.exe
Size

316KB
Sample

240701-a2hqqstgjn
MD5

f0c864fee64edd613b413ddb7c559446
SHA1

87e75a58eef9f3765a2eed498f6aca135b1ef7c4
SHA256

f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd
SHA512

9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154
SSDEEP

3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p

Score

10^/10

xworm execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RobloxExecutor.exe

Resource

win11-20240508-en

xworm execution rat trojan

windows11-21h2-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

allows-welfare.gl.at.ply.gg:49180

Mutex

B2qPpHuLCfcwYFiL

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Targets

- Target
  
  RobloxExecutor.exe
- Size
  
  316KB
- MD5
  
  f0c864fee64edd613b413ddb7c559446
- SHA1
  
  87e75a58eef9f3765a2eed498f6aca135b1ef7c4
- SHA256
  
  f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd
- SHA512
  
  9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154
- SSDEEP
  
  3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy