Overview

overview

10

Static

static

10

XWorm RAT ...er.exe

windows7-x64

1

XWorm RAT ...er.exe

windows10-2004-x64

1

XWorm RAT ...er.exe

windows7-x64

1

XWorm RAT ...er.exe

windows10-2004-x64

1

XWorm RAT ...er.exe

windows7-x64

1

XWorm RAT ...er.exe

windows10-2004-x64

1

XWorm RAT ...NC.exe

windows7-x64

7

XWorm RAT ...NC.exe

windows10-2004-x64

7

XWorm RAT ...er.exe

windows7-x64

7

XWorm RAT ...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2023 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm RAT LATEST/XWorm-RAT-V2.1-builder.exe

  • Size

    3.5MB

  • MD5

    775ff5af83a841cd38d17f0e89850d31

  • SHA1

    977a6139d96c3d0289b3f6ed9ec54ed2ecc0247e

  • SHA256

    416d0f5e93bd4249b00d6907264d870401255dba0fa4983017ae6f34af36dc1b

  • SHA512

    730628bf0f43c069728938656c939784c6146660668d9d5e91ac473f3aff0096fad0804ee2c88b9571ddba2354761668dc550ef4bae6266922dfae8cfc075349

  • SSDEEP

    24576:508GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35/5Mbi:Z/TjrHWKWDOQko29ueJsq8z0H

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm RAT LATEST\XWorm-RAT-V2.1-builder.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm RAT LATEST\XWorm-RAT-V2.1-builder.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-builder.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-builder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1404 -s 1816
        3⤵
        • Program crash
        PID:1708
    • C:\Users\Admin\AppData\Local\Temp\discord.exe
      "C:\Users\Admin\AppData\Local\Temp\discord.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 464 -p 1404 -ip 1404
    1⤵
      PID:4528

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-builder.exe
      Filesize

      3.2MB

      MD5

      339b7f92641c0f5161731fc681aaeb3a

      SHA1

      21d2d89e9ade90df638f33d314ac68e30f6aa52e

      SHA256

      b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c

      SHA512

      58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-builder.exe
      Filesize

      3.2MB

      MD5

      339b7f92641c0f5161731fc681aaeb3a

      SHA1

      21d2d89e9ade90df638f33d314ac68e30f6aa52e

      SHA256

      b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c

      SHA512

      58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-builder.exe
      Filesize

      3.2MB

      MD5

      339b7f92641c0f5161731fc681aaeb3a

      SHA1

      21d2d89e9ade90df638f33d314ac68e30f6aa52e

      SHA256

      b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c

      SHA512

      58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\discord.exe
      Filesize

      159KB

      MD5

      46a2cc3ad2ade7a6b5551b53636e0abb

      SHA1

      b8eb52479e933c3530ca826fbe59567af3c4f6ec

      SHA256

      f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5

      SHA512

      7649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\discord.exe
      Filesize

      159KB

      MD5

      46a2cc3ad2ade7a6b5551b53636e0abb

      SHA1

      b8eb52479e933c3530ca826fbe59567af3c4f6ec

      SHA256

      f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5

      SHA512

      7649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\discord.exe
      Filesize

      159KB

      MD5

      46a2cc3ad2ade7a6b5551b53636e0abb

      SHA1

      b8eb52479e933c3530ca826fbe59567af3c4f6ec

      SHA256

      f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5

      SHA512

      7649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f

      Download Submit

    • memory/440-154-0x0000000000400000-0x0000000000784000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1404-156-0x000001E6E06F0000-0x000001E6E0A2E000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1404-165-0x000001E6FC520000-0x000001E6FC66E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1404-158-0x000001E6E0E50000-0x000001E6E0E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1404-162-0x000001E6E0E40000-0x000001E6E0E4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4668-161-0x0000000005830000-0x000000000593A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-167-0x0000000005BF0000-0x0000000005C56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4668-159-0x0000000005C60000-0x0000000006278000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4668-163-0x0000000005760000-0x000000000579C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4668-164-0x00000000057F0000-0x0000000005800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4668-157-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4668-166-0x00000000057F0000-0x0000000005800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4668-160-0x0000000005700000-0x0000000005712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4668-168-0x0000000006760000-0x00000000067F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4668-169-0x0000000006DB0000-0x0000000007354000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4668-170-0x0000000006CA0000-0x0000000006D16000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4668-171-0x0000000007FE0000-0x00000000081A2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4668-172-0x00000000086E0000-0x0000000008C0C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4668-173-0x0000000007E10000-0x0000000007E2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4668-174-0x00000000073B0000-0x0000000007400000-memory.dmp

      Filesize

      320KB

      Download