General

  • Target

    XWorm-RAT-V2.1-XWorm.zip

  • Size

    34.0MB

  • Sample

    240326-18w5tadh34

  • MD5

    6a5859351794162ae8f678a8ab7f376a

  • SHA1

    2cf7195a0fe29adcb2c81b909c526abaf807e64b

  • SHA256

    29fe532017539d0a37057cc6f0f3734219cd9bcd3ee9c05a009c055207bfb5a4

  • SHA512

    5f6e72404362e6bed2a39a2ce7dbadb4dfbbf34636edb6624b3b9512d35570a955159621174f8fa1de794eef5507b1c4457ef40be123712c84cb5e6fba538328

  • SSDEEP

    786432:BiIKtjXylNXspXclWQK1KDQXzTnHB35oQ9FeDym3yIZU:QLeJsSAlKWh35oQ9KVu

Malware Config

Targets

    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Command Reciever.exe

    • Size

      6.5MB

    • MD5

      a21db5b6e09c3ec82f048fd7f1c4bb3a

    • SHA1

      e7ffb13176d60b79d0b3f60eaea641827f30df64

    • SHA256

      67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

    • SHA512

      7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

    • SSDEEP

      98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L

    Score
    1/10
    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Resource/data.dat

    • Size

      5.6MB

    • MD5

      4054d1355f1d66ba8055391bb048053f

    • SHA1

      cbe76f2523f66be0d1f9b6ec60b0b2fc6e8da990

    • SHA256

      448ff3ccfbbbf2c72aa4ea12f72a116c173972d2fdc720bddd3a3ec542d0e8cd

    • SHA512

      aaf76ca9240cebbc8163eec77f4fc6babb365bfd3235cb421611ca9f7fea4d593dfa2f50a2dcbc02133793a48d815a8349a69c6ba7961a79ff35a7dd6b795da0

    • SSDEEP

      98304:Iwl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcZ6U:IbOuK6mn9NzgMoYkSIvUcwti7TQlvcio

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/HVNC-Server.exe

    • Size

      112KB

    • MD5

      2bc558b0cf60f8c5a17d16299e07a030

    • SHA1

      9a6a53a088cdbab38201b11015e58aacb85e1dc6

    • SHA256

      83178407d4761df1439304df2f08ec6df4e216986fab12590b6339186291b591

    • SHA512

      21ed30fb07a670ca4cf44527d34d201735dac1a9c23e7cc709983c3dbff75cdeec8380c2fe795270fd77203fa9e59b34a324acdb0815c8654b819269e52d9ce8

    • SSDEEP

      3072:cl/0Gw9hSR3UFqhHe9Z0SZDz4PUF8FaBh3:cl8GjtChHh3

    Score
    1/10
    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/ResHacker.exe

    • Size

      1.0MB

    • MD5

      d285a10c73da68b027951a2038a7ae0d

    • SHA1

      e3e5712df92ed49d6cd429799e6e557af093da06

    • SHA256

      aeeac91ca85c59309a8d6f7109a84e1ee6d4817498417373e7c3c93dac7bb1e5

    • SHA512

      150b47f6b4ab2c33c818843ddf30562c85055c1be5bbda7bc347bf36116b4d8d8f7b78303342e9eb667facd37a841eb7d930de325f25d170b680e97f8dfed48e

    • SSDEEP

      24576:XS9wlTzi2gQO1PMV2DCHAJ2glv9fJVOYfJSzaSArbz2jQOS/:C9ijgQO1PMDozYAPz2UN/

    Score
    1/10
    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/vncviewer.exe

    • Size

      1.5MB

    • MD5

      b8d15cd10f1e9ff6adeae64fbbeb755b

    • SHA1

      f962549e42b58a056b11a9ba9750a30bc76844d7

    • SHA256

      823168f7ff268a96aa80d915d946411ef214e7597c73312b19f9723d704b1396

    • SHA512

      1478c76b08a8aa9cf9db927ea371c192ade81d8e27d394613f05aa60011fa8bc46ada115ab4c8c9aa75fcf86dbb62f7089a211f58270c984a204c91465cd07af

    • SSDEEP

      24576:Jj/05kjHhc0Vo68/RWyVae30Zh6FSCTpf2kveQn5poM5lcOBo:JY5kdc0G68/RVoe3+MTZ2kFroM5lxBo

    Score
    1/10
    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XHVNC.exe

    • Size

      1.9MB

    • MD5

      4904329d091687c9deb08d9bd7282e77

    • SHA1

      bcf7fcebb52cad605cb4de65bdd077e600475cc7

    • SHA256

      e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

    • SHA512

      b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

    • SSDEEP

      24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr

    Score
    7/10
    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XWorm RAT V2.1.exe

    • Size

      2.2MB

    • MD5

      835f081566e31c989b525bccb943569c

    • SHA1

      71d04e0a86ce9585e5b7a058beb0a43cf156a332

    • SHA256

      ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579

    • SHA512

      9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c

    • SSDEEP

      49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks