Overview

overview

10

Static

static

10

XWorm-RAT-...ox.dll

windows10-2004-x64

1

XWorm-RAT-...er.exe

windows10-2004-x64

1

XWorm-RAT-...er.exe

windows10-2004-x64

1

XWorm-RAT-...er.exe

windows10-2004-x64

1

XWorm-RAT-...NC.exe

windows10-2004-x64

7

XWorm-RAT-...er.exe

windows10-2004-x64

8

XWorm-RAT-...ta.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm-RAT-_ed.zip

  • Size

    34.8MB

  • Sample

    221023-s9kjeabag7

  • MD5

    9053a04269caac4904017fb49eba6573

  • SHA1

    966d63e685196206ebda579e48b7e99bda5f7162

  • SHA256

    e902bd20f12010f533a624942623b29f00a07430b3b1b44c53ddc72251a6926f

  • SHA512

    bca86193a6845ad0a9469d674237ba76a9f5ef24e32e48164cc124e15f2ca362551a08a4979a02d5409cf24ef4f97985a8cbc41b3a71df1415362211f2bf2ee5

  • SSDEEP

    786432:TjXKlNZ//HL2Q+fIZyzD7sp7clWQO/gDQXzTnHB35mOPB3FiIKv:fmv/T2vf3v7seA78Wh35muB0l

Score
10/10
agilenetspywarestealer

Malware Config

Targets

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/FastColoredTextBox.dll

    • Size

      333KB

    • MD5

      b746707265772b362c0ba18d8d630061

    • SHA1

      4b185e5f68c00bef441adb737d0955646d4e569a

    • SHA256

      3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519

    • SHA512

      fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8

    • SSDEEP

      6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n

    Score
    1/10
    behavioral1

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/Tools/HVNC-Server.exe

    • Size

      112KB

    • MD5

      2bc558b0cf60f8c5a17d16299e07a030

    • SHA1

      9a6a53a088cdbab38201b11015e58aacb85e1dc6

    • SHA256

      83178407d4761df1439304df2f08ec6df4e216986fab12590b6339186291b591

    • SHA512

      21ed30fb07a670ca4cf44527d34d201735dac1a9c23e7cc709983c3dbff75cdeec8380c2fe795270fd77203fa9e59b34a324acdb0815c8654b819269e52d9ce8

    • SSDEEP

      3072:cl/0Gw9hSR3UFqhHe9Z0SZDz4PUF8FaBh3:cl8GjtChHh3

    Score
    1/10
    behavioral2

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/Tools/ResHacker.exe

    • Size

      1.0MB

    • MD5

      d285a10c73da68b027951a2038a7ae0d

    • SHA1

      e3e5712df92ed49d6cd429799e6e557af093da06

    • SHA256

      aeeac91ca85c59309a8d6f7109a84e1ee6d4817498417373e7c3c93dac7bb1e5

    • SHA512

      150b47f6b4ab2c33c818843ddf30562c85055c1be5bbda7bc347bf36116b4d8d8f7b78303342e9eb667facd37a841eb7d930de325f25d170b680e97f8dfed48e

    • SSDEEP

      24576:XS9wlTzi2gQO1PMV2DCHAJ2glv9fJVOYfJSzaSArbz2jQOS/:C9ijgQO1PMDozYAPz2UN/

    Score
    1/10
    behavioral3

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/Tools/vncviewer.exe

    • Size

      1.5MB

    • MD5

      b8d15cd10f1e9ff6adeae64fbbeb755b

    • SHA1

      f962549e42b58a056b11a9ba9750a30bc76844d7

    • SHA256

      823168f7ff268a96aa80d915d946411ef214e7597c73312b19f9723d704b1396

    • SHA512

      1478c76b08a8aa9cf9db927ea371c192ade81d8e27d394613f05aa60011fa8bc46ada115ab4c8c9aa75fcf86dbb62f7089a211f58270c984a204c91465cd07af

    • SSDEEP

      24576:Jj/05kjHhc0Vo68/RWyVae30Zh6FSCTpf2kveQn5poM5lcOBo:JY5kdc0G68/RVoe3+MTZ2kFroM5lxBo

    Score
    1/10
    behavioral4

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe

    • Size

      1.9MB

    • MD5

      4904329d091687c9deb08d9bd7282e77

    • SHA1

      bcf7fcebb52cad605cb4de65bdd077e600475cc7

    • SHA256

      e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

    • SHA512

      b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

    • SSDEEP

      24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr

    Score
    7/10
    agilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral5

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/XWorm-RAT-V2.1-builder.exe

    • Size

      3.2MB

    • MD5

      6925453f1a0ba21cb5559eb60aa454c2

    • SHA1

      f41d894c216079a1d410747d28a1b2017a7e5601

    • SHA256

      eeaf8ab27825be4133d2bef1fb9db23b23edade4b21c31976aefe66807eac93a

    • SHA512

      aa2a6379b6e7489cdbb10a46af7c362d5e6ab826935807bfa37d08e7aa6a79b29f7ff9b95f1777a321b99c98ef95e1084d38997e106c04f3975004689a246873

    • SSDEEP

      24576:t08GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35lBIWf:N/TjrHWKWDOQko29ueJsq8if9

    Score
    8/10
    spywarestealer

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral6

    • Target

      XWorm-RAT-main/XWorm RAT V2.1/resource/data.dat

    • Size

      6.5MB

    • MD5

      a21db5b6e09c3ec82f048fd7f1c4bb3a

    • SHA1

      e7ffb13176d60b79d0b3f60eaea641827f30df64

    • SHA256

      67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

    • SHA512

      7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

    • SSDEEP

      98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks