xworm | 0d23152df158541a195e57e5e6f1027728349e8e813f002d46a0c6950a90c688 | Triage

Submit
Reports

Overview

overview

Static

static

3

Payment_In...on.exe

windows7-x64

Payment_In...on.exe

windows10-2004-x64

Sharing

General

Target

01072024_1044_Payment_Information.zip
Size

594KB
Sample

240701-ms1leaxane
MD5

50c4962e4715ff425067203256b8b608
SHA1

f86e40e6b004b9b450964696e78fb2e76ff0f6a6
SHA256

0d23152df158541a195e57e5e6f1027728349e8e813f002d46a0c6950a90c688
SHA512

b4941a7e47799cf8d6826965ee696e52520b99bebd8a0eddee1cfec237a852a31716d982cec915fe4cf6b0dbc5d0de5a1398d2933fa8e52df64ec2d004688581
SSDEEP

12288:PnE1xrHxZjWL+g9fAFi7fHLSboIgPQbOmrBQAe8lDNa1TaZY:PE11R0LvfAFiYNgkOJC41T3

Score

10^/10

xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Payment_Information.exe

Resource

win7-20240221-en

xworm execution persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Payment_Information.exe

Resource

win10v2004-20240508-en

xworm execution persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

newsferinfo.com:7000

continentalgames.top:7000

Mutex

8VF9MKRpl0LkiNW2

Attributes

Install_directory
%Public%
install_file
microsoft_version_0124.exe

aes.plain

Targets

- Target
  
  Payment_Information.exe
- Size
  
  1.2MB
- MD5
  
  bfe4e6c774018b6e85d33fd381427d2f
- SHA1
  
  e75e6b64ea2c112a3a1b6a5ca1c0663cb185f704
- SHA256
  
  473c0737f6125ad0dff41521ab1e6331cd457c3253556b2bce4482ebf86e829b
- SHA512
  
  041f0fd37b0fff784b22261e23853fd3474881820f01aa3cc1dbdf4c4c0c25dfda70b15a4ac007aef70b3d28c92cfde60d3ec91e32f48c670f94e90b10d904a3
- SSDEEP
  
  24576:q4fvrZFtYuN29VEFV5qSh0lhSMXl0NJkdV4KKhnPmgUf5:nvhQVKV5qPkJIV4ZhPmT
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy