xworm | 3512d29f133707d6bda97a10e181af6b068f54e827f3f1799b3af657e9afc46d

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/03/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

32KB
MD5

56877a3e1e57771863e6691db7a0a18e
SHA1

c9ab6f11382e0b9747bc225313ea288545a2f71b
SHA256

3512d29f133707d6bda97a10e181af6b068f54e827f3f1799b3af657e9afc46d
SHA512

248d32b91158c762ae3c434e21e1805e2c385b1d987d1bba6145c35d109bdf70b921a38cef09b482eaa985a64e6f0b410abe825d75399b51a28e842f24319930
SSDEEP

768:b+CD9JxV5zlMMyoxVJt76NHRVFr9j0Ojhebi:bh9h5J997QHDFr9j0OjQ2

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

6.tcp.eu.ngrok.io:12508

<Xwormmm>:1

Mutex

yqenrdvf5FLgMphW

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000300000-0x000000000030E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	6.tcp.eu.ngrok.io

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2400	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	XClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2724	2308	XClient.exe	29
PID 2308 wrote to memory of 2724	2308	XClient.exe	29
PID 2308 wrote to memory of 2724	2308	XClient.exe	29
PID 2724 wrote to memory of 2400	2724	cmd.exe	31
PID 2724 wrote to memory of 2400	2724	cmd.exe	31
PID 2724 wrote to memory of 2400	2724	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp.bat

Filesize
159B

MD5
b699f6319017a4214935c606ba81275a

SHA1
c57d3d894cfc0e994a82331b314328461727f6cd

SHA256
648b62c239d59dff1a80947b73a68e7aa41a3941a020156e674c785e99984dcd

SHA512
2952659142e0f20657139931be6066b7dc06cdf3de87c4f6edd1e308b713bf01b71674387ecbbe883c4cf872f508e06cd515736699011d9358845e3199629bde

Download Submit
memory/2308-0-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2308-1-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-2-0x000000001AED0000-0x000000001AF50000-memory.dmp

Filesize
512KB

Download
memory/2308-11-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download