Malware with wide range of capabilities ranging from RAT to ransomware.
rule win_xworm_w0 { meta: author = "jeFF0Falltrades" date = "2024-07-30" version = "1" description = "Detects win.xworm." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm" malpedia_rule_date = "20240730" malpedia_hash = "" malpedia_version = "20240730" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $str_xworm = "xworm" wide ascii nocase $str_xwormmm = "Xwormmm" wide ascii $str_xclient = "XClient" wide ascii $str_xlogger = "XLogger" wide ascii $str_xchat = "Xchat" wide ascii $str_default_log = "\\Log.tmp" wide ascii $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii $str_ddos_start = "StartDDos" wide ascii $str_ddos_stop = "StopDDos" wide ascii $str_timeout = "timeout 3 > NUL" wide ascii $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f } $patt_config = { 72 [3] 70 80 [3] 04 } condition: 5 of them and #patt_config >= 5 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY