Overview
overview
10Static
static
10XWorm-Rat-...in.zip
windows7-x64
1XWorm-Rat-...in.zip
windows10-2004-x64
1XWorm-Rat-...er.exe
windows7-x64
3XWorm-Rat-...er.exe
windows10-2004-x64
1XWorm-Rat-...ox.dll
windows7-x64
1XWorm-Rat-...ox.dll
windows10-2004-x64
1XWorm-Rat-...er.bat
windows7-x64
1XWorm-Rat-...er.bat
windows10-2004-x64
1XWorm-Rat-...IP.dat
windows7-x64
3XWorm-Rat-...IP.dat
windows10-2004-x64
3XWorm-Rat-...I2.dll
windows7-x64
1XWorm-Rat-...I2.dll
windows10-2004-x64
1XWorm-Rat-...io.dll
windows7-x64
1XWorm-Rat-...io.dll
windows10-2004-x64
1XWorm-Rat-...DME.md
windows7-x64
3XWorm-Rat-...DME.md
windows10-2004-x64
3XWorm-Rat-...er.php
windows7-x64
3XWorm-Rat-...er.php
windows10-2004-x64
3XWorm-Rat-...NC.exe
windows7-x64
7XWorm-Rat-...NC.exe
windows10-2004-x64
7XWorm-Rat-...er.exe
windows7-x64
3XWorm-Rat-...er.exe
windows10-2004-x64
3XWorm-Rat-...UI.exe
windows7-x64
10XWorm-Rat-...UI.exe
windows10-2004-x64
10XWorm-Rat-...ib.dll
windows7-x64
1XWorm-Rat-...ib.dll
windows10-2004-x64
1XWorm-Rat-...ib.exe
windows7-x64
3XWorm-Rat-...ib.exe
windows10-2004-x64
10Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2023 14:45
Behavioral task
behavioral1
Sample
XWorm-Rat-Remote-Administration-Tool--main.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
XWorm-Rat-Remote-Administration-Tool--main.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
XWorm-Rat-Remote-Administration-Tool--main/GeoIP.dat
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
XWorm-Rat-Remote-Administration-Tool--main/GeoIP.dat
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
XWorm-Rat-Remote-Administration-Tool--main/README.md
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
XWorm-Rat-Remote-Administration-Tool--main/README.md
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
XWorm-Rat-Remote-Administration-Tool--main/Uploader.php
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
XWorm-Rat-Remote-Administration-Tool--main/Uploader.php
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
Resource
win7-20230220-en
General
-
Target
XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
-
Size
12KB
-
MD5
6967b97ce4ff4524883a196a97736275
-
SHA1
6fdf2b9adc16b40a06bacc7db0abee917ef4abd3
-
SHA256
e2bddf56324addac02678a7fd8d9c3da24ad55132883ad826a1a60eaf4e4a034
-
SHA512
c71525d49e36975cb43535cff5176409163b14f53b644e3d161fd56f7514f0affbda051541a07d9af4cdc45a564dfad20a23584701499a0f03e531219c9f72be
-
SSDEEP
192:zLlo6IXsbK9CLPN0LWyJUMmYVY2QQq33WrmRaadrq8uSF3:PljIeyCLPN0CUUMme3o3mrmRJUSF
Malware Config
Extracted
asyncrat
0.5.7B
Default
37.18.62.18:8060
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
ChromeUpdate.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\sysfile32.exe asyncrat C:\Users\Admin\AppData\Local\Temp\sysfile32.exe asyncrat C:\Users\Admin\AppData\Local\Temp\sysfile32.exe asyncrat behavioral28/memory/668-178-0x0000000000010000-0x0000000000022000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe asyncrat C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dnlib.exesysfile32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation dnlib.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation sysfile32.exe -
Executes dropped EXE 3 IoCs
Processes:
x86.exesysfile32.exeChromeUpdate.exepid process 4524 x86.exe 668 sysfile32.exe 3744 ChromeUpdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3224 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4684 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dnlib.exepid process 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe 372 dnlib.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dnlib.exex86.exetaskkill.exesysfile32.exeChromeUpdate.exedescription pid process Token: SeDebugPrivilege 372 dnlib.exe Token: SeDebugPrivilege 4524 x86.exe Token: SeDebugPrivilege 4684 taskkill.exe Token: SeDebugPrivilege 668 sysfile32.exe Token: SeDebugPrivilege 3744 ChromeUpdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dnlib.exepid process 372 dnlib.exe 372 dnlib.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
dnlib.exesysfile32.execmd.execmd.exedescription pid process target process PID 372 wrote to memory of 4496 372 dnlib.exe cmstp.exe PID 372 wrote to memory of 4496 372 dnlib.exe cmstp.exe PID 372 wrote to memory of 668 372 dnlib.exe sysfile32.exe PID 372 wrote to memory of 668 372 dnlib.exe sysfile32.exe PID 372 wrote to memory of 668 372 dnlib.exe sysfile32.exe PID 668 wrote to memory of 784 668 sysfile32.exe cmd.exe PID 668 wrote to memory of 784 668 sysfile32.exe cmd.exe PID 668 wrote to memory of 784 668 sysfile32.exe cmd.exe PID 668 wrote to memory of 1552 668 sysfile32.exe cmd.exe PID 668 wrote to memory of 1552 668 sysfile32.exe cmd.exe PID 668 wrote to memory of 1552 668 sysfile32.exe cmd.exe PID 784 wrote to memory of 1628 784 cmd.exe schtasks.exe PID 784 wrote to memory of 1628 784 cmd.exe schtasks.exe PID 784 wrote to memory of 1628 784 cmd.exe schtasks.exe PID 1552 wrote to memory of 3224 1552 cmd.exe timeout.exe PID 1552 wrote to memory of 3224 1552 cmd.exe timeout.exe PID 1552 wrote to memory of 3224 1552 cmd.exe timeout.exe PID 1552 wrote to memory of 3744 1552 cmd.exe ChromeUpdate.exe PID 1552 wrote to memory of 3744 1552 cmd.exe ChromeUpdate.exe PID 1552 wrote to memory of 3744 1552 cmd.exe ChromeUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\windows\temp\yjed03tr.inf2⤵
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA9C.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\x86.exeC:\Users\Admin\AppData\Local\Temp\x86.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbnkipwe.knq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exeFilesize
49KB
MD59b64d05f82ebaa3e51a79c1beeed2181
SHA128b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA25693c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exeFilesize
49KB
MD59b64d05f82ebaa3e51a79c1beeed2181
SHA128b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA25693c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exeFilesize
49KB
MD59b64d05f82ebaa3e51a79c1beeed2181
SHA128b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA25693c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
-
C:\Users\Admin\AppData\Local\Temp\tmpAA9C.tmp.batFilesize
156B
MD5e40f0b44d2654de3fca4d9d64a2212e1
SHA13ea42b98393fe18635f921ec9c0a3c412456ee0c
SHA2562897f8201c2ddf7302b76117e6f2e7c88adc48e505bc662cea5e8958fca975a8
SHA512e1438a66aa84628e1a93e14ed43b1a6778caec3e2a9b516c975ae4749b16da2bfb08974e8769669cc68268f2d100dd4f4e30a54ff605034d8a0b849eb55f8389
-
C:\Users\Admin\AppData\Local\Temp\x86.exeFilesize
12KB
MD5f922206889c896cf2d86f21e9f9db7db
SHA1046b00f2edb34982db266d903627ced283f4a5ea
SHA2561ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3
SHA512abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965
-
C:\Users\Admin\AppData\Local\Temp\x86.exeFilesize
12KB
MD5f922206889c896cf2d86f21e9f9db7db
SHA1046b00f2edb34982db266d903627ced283f4a5ea
SHA2561ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3
SHA512abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965
-
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exeFilesize
49KB
MD59b64d05f82ebaa3e51a79c1beeed2181
SHA128b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA25693c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
-
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exeFilesize
49KB
MD59b64d05f82ebaa3e51a79c1beeed2181
SHA128b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA25693c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
-
C:\windows\temp\yjed03tr.infFilesize
542B
MD55c23ac475d677288f01378eb90a7d32c
SHA18801e0122b4c2575bc8dcfbf04421a2c446dddf7
SHA2567f146ed6fa2a2fbde0cda5e2afc47d4987dc62b8d3edb75d4d7341653bcefabe
SHA51221c7ec4352e9c2c4a5472b4b5fee1372440589f27cd3f7b9bd756ce9d311b90c28fe82403cf8435119fc0ed13da03b6773f774b68128f1b280f7ecd5cafd4961
-
memory/372-144-0x000000001C050000-0x000000001C060000-memory.dmpFilesize
64KB
-
memory/372-151-0x000000001C050000-0x000000001C060000-memory.dmpFilesize
64KB
-
memory/372-150-0x000000001C050000-0x000000001C060000-memory.dmpFilesize
64KB
-
memory/372-133-0x0000000000880000-0x0000000000888000-memory.dmpFilesize
32KB
-
memory/372-143-0x000000001BFF0000-0x000000001C012000-memory.dmpFilesize
136KB
-
memory/668-179-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/668-180-0x0000000004D60000-0x0000000004DFC000-memory.dmpFilesize
624KB
-
memory/668-178-0x0000000000010000-0x0000000000022000-memory.dmpFilesize
72KB
-
memory/3744-189-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/3744-190-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/4524-164-0x000000001BDC0000-0x000000001BDD0000-memory.dmpFilesize
64KB
-
memory/4524-154-0x0000000000670000-0x0000000000678000-memory.dmpFilesize
32KB