xworm | f57974b92cbd62b205f91032622fed6962964b883750fb8c7454583e38bb9d85 | Triage

Submit
Reports

Overview

overview

Static

static

04f28f4975...0e.exe

windows7-x64

04f28f4975...0e.exe

windows10-2004-x64

Sharing

General

Target

f6bc727b25a9d6d15f62d459f2d875d0.bin
Size

30KB
Sample

240701-erp5aawbqg
MD5

ca8145a840ced9890d309a57ce312fa1
SHA1

2defa0142048dc4adebe1a5eb5cc1a38ffe8d522
SHA256

f57974b92cbd62b205f91032622fed6962964b883750fb8c7454583e38bb9d85
SHA512

6154aeeca7754531025aa6f14f9a35faffad41d801379594afe585b47c55b41b870bec153ef1fe758b3bd8a7137ff6b072ab94f760bd83218c2e902104795b2d
SSDEEP

768:+MtjUUHOqP5O+92Hc7azdWKpuVp0iGQSamKMAN6R9OL9xyujVwWY:+MtjUUutW2Hc7e5iVmA6/EOeY

Score

10^/10

xworm persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

04f28f4975a7ff3cb3439b65b8d2fad8e99e3431b65be0e065c194908459790e.exe

Resource

win7-20240221-en

xworm persistence rat trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

04f28f4975a7ff3cb3439b65b8d2fad8e99e3431b65be0e065c194908459790e.exe

Resource

win10v2004-20240226-en

xworm persistence rat trojan

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

lu0xD4CO1T8ycPIn

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Targets

- Target
  
  04f28f4975a7ff3cb3439b65b8d2fad8e99e3431b65be0e065c194908459790e.exe
- Size
  
  297KB
- MD5
  
  f6bc727b25a9d6d15f62d459f2d875d0
- SHA1
  
  a7502f6990fc98c4f634ec3e995cc7f443487b13
- SHA256
  
  04f28f4975a7ff3cb3439b65b8d2fad8e99e3431b65be0e065c194908459790e
- SHA512
  
  b0847c9b037ad9f2cffee62cd6f3193580e4e0950d0a3a1fbf6611df42474a511d30065f41cbdbaaf4360a6c61719b7d3f10692efac762d1a80f6311d42eb12a
- SSDEEP
  
  1536:vB5uVw89wt2v7Fz9fyOjAEx93MDbT0f5aX2:v++tov7Fz9fyOjOQxK2
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormpersistencerattrojan

behavioral2

xwormpersistencerattrojan

© 2018-2024

Terms | Privacy