xworm

Sharing

Copy URL

Twitter E-mail

General

Target

Wave_28_06_24 (1).zip
Size

7.1MB
Sample

240701-syw33a1hpq
MD5

add22dd1fc49c09759b17923939c2a00
SHA1

65c0f450b02a72b40ccd3efc1557bebe288de2fe
SHA256

eeb3a364affb011a8a548ce6878a062de501c5f9acb68f137cb44c6a45d716d5
SHA512

840d402d92eb7ad76a1e42cb1adb265f8531be02519af4f5293a86113e685a1a189fe58510f84f565d14b749c9c65179ebfe5a3ef15b58f65a6c5ffd3f574b51
SSDEEP

196608:Dh3/WAH1bmZMbpfZp+MfPQrn/qN14CQPz9lRYQBmUT:DZ/v2MDeG+XrqQBD

Score

10^/10

Malware Config

Extracted

Family

xworm

courses-disney.gl.at.ply.gg:21335

127.0.0.1:21335

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226

Targets

- Target
  
  Wave_28_06_24/Wave.exe
- Size
  
  7.3MB
- MD5
  
  92d883d4d144e110b1997924c390e11e
- SHA1
  
  c42ab515f865b429016fc16faecf0415d5004e29
- SHA256
  
  1297e636f5bcea89e6fc45a6dd05d0464451cc1dca7b423fd652e932dc6408e4
- SHA512
  
  c73352005a8034e9f0d044ebb7c9e4a0f97bee99fa0e9c6503ca70743232e1998b52846a0761c6fdab58c29554666e7122660b9da829210f3bb83f32f04981d9
- SSDEEP
  
  196608:V4FB96c/z3etLp+v2gwdP2gzmEWSyRy/16aGb3:VM8k3e1xdFqCm2a3
Score

10^/10

xworm discovery execution persistence rat spyware stealer trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2
- Target
  
  Wave_28_06_24/readme.txt
- Size
  
  804B
- MD5
  
  65fb485acf9f11761a3d2620a3c8ef2d
- SHA1
  
  fbc6c41ed18ee34b6c4c0280ab90b1aef4c824ef
- SHA256
  
  71c0fa19a4a05226f4b4541556b565f41a3a5fac3d35999e9d870e8c3ea1583f
- SHA512
  
  ab4cd4112570db8b7935ae24c0ac4f922b62bfba06d0981348b0e94f998ee5b57d0007dac1be1348c0d1f1cbb3060617e06dc971c12822f7c2f92efa87d3163a
Score

3^/10
behavioral3 behavioral4