xworm | 804a92bb8ebfbe27bc482e76e2d8675f33f4257d3497a92105dc8bfa09011153 | Triage

Submit
Reports

Overview

overview

Static

static

c826d38990...5b.exe

windows7-x64

c826d38990...5b.exe

windows10-2004-x64

Sharing

General

Target

7574843f91261ab512b368ce7942d6ae.bin
Size

19KB
Sample

240701-cq142swgjp
MD5

db26888f69e322e211dde950651e6866
SHA1

76f1a070cfacf6c47ff8251e67f83dd904082d7e
SHA256

804a92bb8ebfbe27bc482e76e2d8675f33f4257d3497a92105dc8bfa09011153
SHA512

a4f9e6994db5f332fb9eafbe484396a9a98ad6d43223841bb7daa03705f65c1c5b4ef876688d550a0d61451467752f64539092c5efa10007be416aa95a6c60e5
SSDEEP

384:2svaJOD5T6mNqwhT/fAYcuvwswWbM4r3CcosdouIq+d2QJuuV920IBg:gebh0XWg4T/hS56Tg

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

c826d38990051067a23d7ced76e20925ec47749e562ef718029ff06555680b5b.exe

Resource

win7-20240220-en

xworm execution persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

c826d38990051067a23d7ced76e20925ec47749e562ef718029ff06555680b5b.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

64.23.249.117:6098

Mutex

qBm7HSWbfhJrOf6O

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  c826d38990051067a23d7ced76e20925ec47749e562ef718029ff06555680b5b.exe
- Size
  
  39KB
- MD5
  
  7574843f91261ab512b368ce7942d6ae
- SHA1
  
  901ad41ebcf742e242f0628f8aa5570edc0999b5
- SHA256
  
  c826d38990051067a23d7ced76e20925ec47749e562ef718029ff06555680b5b
- SHA512
  
  0ae4db524ea03ef2f3b74c60dbe772d69d733392ae78705d13d27a9ebe5cd8b6ee9d9ba51bc0d59980a0922730f8930ffbf246e735e53abb52a2910f52d838cb
- SSDEEP
  
  768:IfP7EV11K5acblLJKuuwhS5vypufFWPa9bt6POwhoaibE:SDEV10wuVJKuuwhSIEFv9bt6POwyjQ
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy