xworm

Sharing

Copy URL

Twitter E-mail

General

Target

Wave.JohnPrlx.cracked.rar
Size

10.3MB
Sample

240701-e4kqbszbpl
MD5

a502e43649c31bd6007912d68b37cad1
SHA1

9076425d466c78f4cf458ab9913fb0880fecf7d0
SHA256

6d5ff2230c713e9372d23989c3ea247d814ffc6f19380be86f7bccf3c0b6ff91
SHA512

cebdaf98e4406fcb95c3086c976c16313230c2630c610d542c61e1c8a655c28a4a6555d9c40a8faed760827d24613acc624547390d66e59f1a77ef7e45ff7ca0
SSDEEP

196608:3xLL5xzen4Pdl4KmMJpgkGTSLv+gaiPBgy/fxKKXWK22Ddd:hPKn4PYhT4ai/xPGQdd

Score

10^/10

Malware Config

Extracted

Family

xworm

stewiegriffin-37537.portmap.host:37537

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  Wave.JohnPrlx.cracked.rar
- Size
  
  10.3MB
- MD5
  
  a502e43649c31bd6007912d68b37cad1
- SHA1
  
  9076425d466c78f4cf458ab9913fb0880fecf7d0
- SHA256
  
  6d5ff2230c713e9372d23989c3ea247d814ffc6f19380be86f7bccf3c0b6ff91
- SHA512
  
  cebdaf98e4406fcb95c3086c976c16313230c2630c610d542c61e1c8a655c28a4a6555d9c40a8faed760827d24613acc624547390d66e59f1a77ef7e45ff7ca0
- SSDEEP
  
  196608:3xLL5xzen4Pdl4KmMJpgkGTSLv+gaiPBgy/fxKKXWK22Ddd:hPKn4PYhT4ai/xPGQdd
Score

3^/10
behavioral1 behavioral2
- Target
  
  CefSharp.Core.Runtime.dll
- Size
  
  16KB
- MD5
  
  13f2351b1335d78b0f8eab3bd7faf227
- SHA1
  
  474cb498fbcbfed3a76a88f79d0cb8d8bc648749
- SHA256
  
  91334c0362d8b3bdfcf64f9a894fdcb74640e92331d25f7d21a078e9a5889a6b
- SHA512
  
  4ed51899be712cc4b1da79bd0854e855c77d52d8291e30e480a8c11590d2c66968f191e6cb3d5237df78fd2f6bde9a7fbd13a1ce2d6a556fb80c643ddd25bd9c
- SSDEEP
  
  384:B4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4S4SB:B4S4S4S4S4S4S4S4S4S4S4S4S4S4S4SB
Score

1^/10
behavioral3 behavioral4
- Target
  
  WaveWindowsCracked.exe
- Size
  
  7.6MB
- MD5
  
  1aec1baab610e71d2dd83ddb08d9c49a
- SHA1
  
  47789c92be6ce830faa926acb1969086d410e4d4
- SHA256
  
  e2bfe1a9a590aab1f7572309b45c0cf88558f9c3463acb550d30e24f47132d1c
- SHA512
  
  2435a57bd91dae06c62ca1d209091f3ce4f3de9012eb80b901e89a62e60b28d45e5c94d018c5af5a831b3ff8d28e4bfc6e0c487125be14926a62b970e459690a
- SSDEEP
  
  196608:IUhZUvqevevx2QtiFX2PTiiXIeMeZ4SZCqL1:BhOvaZ+X2PG6Iep6SZCy
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  bin/Background.mp4
- Size
  
  4.6MB
- MD5
  
  9782180eb68f73030fe24ef6a1735932
- SHA1
  
  589827fe098ba048c9f871a28db8eae3e3537ff4
- SHA256
  
  3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7
- SHA512
  
  dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1
- SSDEEP
  
  98304:xs/6Ldccul3Wn48btjNEkPSFTaIwJ0Mt6KNY:xs/Gul3EvEmFItMkb
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8
- Target
  
  bin/lz4.dll
- Size
  
  117KB
- MD5
  
  b93f8dd94878d2ec820cc9c59d4aa88d
- SHA1
  
  2b0a8d091129ff9945b55eec08f45cd407658531
- SHA256
  
  cf3911f90d87e5ec99b6a372e947019ff4186b2b18fdfe1b2b8cfb30f66428fc
- SHA512
  
  b9548ee5d66c35d5ad05878357108e1ae4f7cea31ebb66eda6aa70a77e0baf7fe119f7eba54c26ad2c901f2a5540dfe0446a408dace4d7a6ed35fead03178cd9
- SSDEEP
  
  3072:k00000000000000000000000000000000000000000000000000000000X:+
Score

1^/10
behavioral10 behavioral9
- Target
  
  bin/wolfssl.dll
- Size
  
  1.6MB
- MD5
  
  a5ed5188775d20f70555ff9177e1a913
- SHA1
  
  e2d400676e1c67d4918c3455dae6dbca16fdc203
- SHA256
  
  7a410bd6a39a65b6408773db9831b85ab3e09cf153c2091d1ea5d6d0750fe246
- SHA512
  
  b184beab7cefe060d703dc1d9bb46fec46d8aa058efbb52d23502c42c940f3e860ed41ddb25896b7969cf735a1e181cd2d69291a6cecf03943da514214d87365
- SSDEEP
  
  3072:/HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHP:n
Score

1^/10
behavioral11 behavioral12
- Target
  
  bin/xxhash.dll
- Size
  
  205KB
- MD5
  
  098aabd73a4778db8c5ce4a7fe965111
- SHA1
  
  f015f129621f1da8eff192d3a4b8042937b2660d
- SHA256
  
  c0111d493bd78b6ad35562d20c3e148827b2f7ca9a77879f719bd66895b1b2a4
- SHA512
  
  18704392a818fe707806a635fe8dcf33cc655fb29fe3aa71b5803631637e5bc24d6b1fcc3f28f6a70321393918e266a93be325f7af9c875da4c99578846a09cc
- SSDEEP
  
  3072:Yllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllw:3
Score

1^/10
behavioral13 behavioral14
- Target
  
  bin/zlib1.dll
- Size
  
  3.3MB
- MD5
  
  3ade0c26d0f3d201c198dc288c8fb8b6
- SHA1
  
  5ce87bfea3001ef65e25fee41b2c815acc6ca48b
- SHA256
  
  8ca248d69ddbcb0e167f174b7c1b15e85f45fa929a8e6b5dae84c1edc65e5d48
- SHA512
  
  24b232a5a3028fe5ac555eebc3b0a7b1075cec33d2805884a562978b77a866490530f7eb7c1ac44f1d534ca796dcfdfeb27e8d6d9c2c9e27d43afd9ae8224e9d
- SSDEEP
  
  3072:fllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllP:f
Score

1^/10
behavioral15 behavioral16
- Target
  
  bin/zstd.dll
- Size
  
  1.5MB
- MD5
  
  87e2881b682ba44d2d837f9e95883cc0
- SHA1
  
  ea18791c5344d39236b40035ec38c884e4d1aa22
- SHA256
  
  8605f4b677b2dcf65989841c13b519c24aabc75eede7f69978a8959d69cf839d
- SHA512
  
  11b7b5c120e0069598d8fb2283bf522c6d65cc0f9c82fce35c5af36e9bdbf5918099b1b574e2799da9b179b54758ab19ed44332af02e8b5645525f93cf6a7f63
- SSDEEP
  
  1536:Y99999999999999999999999999999999999999999999999999999999999999C:n
Score

1^/10
behavioral17 behavioral18
- Target
  
  cracked by JohnPrlx.txt
- Size
  
  22B
- MD5
  
  d5ffaf0245ec720c09d0e37f832b33d7
- SHA1
  
  dbff1dbcbaf7edc286e6bdf98ee52cc60e526ee9
- SHA256
  
  594142beb0389cbfc0368d3e5b61cee8c4bdb9f458760421a909848f39ea7194
- SHA512
  
  282393278060626d4c71fb22cb5cd08c34781c611cc07cd0d029ae32998c78d507300e2eee9e4e8bd88e3ef8038f524e910bfbd41811abd3ab97a0906e508047
Score

1^/10
behavioral19 behavioral20
- Target
  
  d3dcompiler_47.dll
- Size
  
  7KB
- MD5
  
  ad9035cde61738f9822c6cf841ffdff4
- SHA1
  
  ab4d0aea52cea032a325420d4408f3392d296537
- SHA256
  
  8b38e765a1595201c2c0557bfc2d7fc34a2aedaa4f99a75018830364f544aa48
- SHA512
  
  a4d14164463bce090e0d5638139ba2a658d46aa37e28c87962df1fc581ca9dc96442afb314aa8ed0d55445eb4ead0e058c7ed87d3d6f37f04e101e0215bf411b
- SSDEEP
  
  12:SPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPaPah:SU
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22