Malware Analysis Report

2025-05-05 22:24

Sample ID 231013-cy22baah6z
Target XWorm V5.0.exe
SHA256 9836b324a9a693050de20893b9ec1f6bd9c7d9b03eaf21112947cb82183c2016
Tags
agilenet xworm rat trojan rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9836b324a9a693050de20893b9ec1f6bd9c7d9b03eaf21112947cb82183c2016

Threat Level: Known bad

The file XWorm V5.0.exe was found to be: Known bad.

Malicious Activity Summary

agilenet xworm rat trojan rhadamanthys stealer

Detect rhadamanthys stealer shellcode

Detect Xworm Payload

Rhadamanthys

Xworm

Xworm family

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 02:29

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 02:29

Reported

2023-10-13 02:31

Platform

win7-20230831-en

Max time kernel

70s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

memory/2204-9-0x0000000000400000-0x0000000000F40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 02:29

Reported

2023-10-13 02:34

Platform

win10v2004-20230915-en

Max time kernel

208s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4784 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Client.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 220 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 220 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 276

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/220-1-0x0000000000400000-0x0000000000F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

memory/220-12-0x0000000000400000-0x0000000000F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 dbf35eac1c87ed287c8f7cba33d133b5
SHA1 d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA256 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512 c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

memory/1592-14-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-16-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-17-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-18-0x0000000000C20000-0x0000000000C27000-memory.dmp

memory/1592-19-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-20-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-21-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-22-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-23-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-24-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-25-0x0000000002B00000-0x0000000002F00000-memory.dmp

memory/1592-26-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-27-0x0000000002B00000-0x0000000002F00000-memory.dmp