xworm | e9a7cd4800b26c3a79f0595ee797afdaa43d39307cc203a555e3265365977347 | Triage

Submit
Reports

Overview

overview

Static

static

2024-07-01...ar.exe

windows7-x64

2024-07-01...ar.exe

windows10-2004-x64

Sharing

General

Target

2024-07-01_4cbd2f5201ad48eee23285fa5bd1b0db_hiddentear
Size

162KB
Sample

240701-hmx6wasanl
MD5

4cbd2f5201ad48eee23285fa5bd1b0db
SHA1

36b9840c9bc6a1f5355765274fed589a453822f8
SHA256

e9a7cd4800b26c3a79f0595ee797afdaa43d39307cc203a555e3265365977347
SHA512

a96ed9090b45ca891e1e8c189c5d21e3ed8ed2705c1f07e16126d3df1acbe76bfb65a7a9710d8d31c354d9205478f6d5897161918f15cc5c58710324b5ea6627
SSDEEP

3072:ST2oLp7ZAZb1O28wROqcAM+lmsolAIrRuw+mqv9j1MWLQI:UxgbDCT+lDAA

Score

10^/10

xworm execution rat trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

2024-07-01_4cbd2f5201ad48eee23285fa5bd1b0db_hiddentear.exe

Resource

win7-20240611-en

xworm execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-07-01_4cbd2f5201ad48eee23285fa5bd1b0db_hiddentear.exe

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

172.94.32.98:7600

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  2024-07-01_4cbd2f5201ad48eee23285fa5bd1b0db_hiddentear
- Size
  
  162KB
- MD5
  
  4cbd2f5201ad48eee23285fa5bd1b0db
- SHA1
  
  36b9840c9bc6a1f5355765274fed589a453822f8
- SHA256
  
  e9a7cd4800b26c3a79f0595ee797afdaa43d39307cc203a555e3265365977347
- SHA512
  
  a96ed9090b45ca891e1e8c189c5d21e3ed8ed2705c1f07e16126d3df1acbe76bfb65a7a9710d8d31c354d9205478f6d5897161918f15cc5c58710324b5ea6627
- SSDEEP
  
  3072:ST2oLp7ZAZb1O28wROqcAM+lmsolAIrRuw+mqv9j1MWLQI:UxgbDCT+lDAA
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detects Windows executables referencing non-Windows User-Agents
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy