Overview
overview
10Static
static
10XWorm-RAT-...er.exe
windows7-x64
1XWorm-RAT-...er.exe
windows10-2004-x64
1XWorm-RAT-...ta.exe
windows7-x64
7XWorm-RAT-...ta.exe
windows10-2004-x64
7XWorm-RAT-...er.exe
windows7-x64
1XWorm-RAT-...er.exe
windows10-2004-x64
1XWorm-RAT-...er.exe
windows7-x64
1XWorm-RAT-...er.exe
windows10-2004-x64
1XWorm-RAT-...er.exe
windows7-x64
1XWorm-RAT-...er.exe
windows10-2004-x64
1XWorm-RAT-...NC.exe
windows7-x64
7XWorm-RAT-...NC.exe
windows10-2004-x64
7XWorm-RAT-....1.exe
windows7-x64
7XWorm-RAT-....1.exe
windows10-2004-x64
7General
-
Target
XWorm-RAT-V2.1-XWorm.zip
-
Size
34.0MB
-
Sample
240326-18w5tadh34
-
MD5
6a5859351794162ae8f678a8ab7f376a
-
SHA1
2cf7195a0fe29adcb2c81b909c526abaf807e64b
-
SHA256
29fe532017539d0a37057cc6f0f3734219cd9bcd3ee9c05a009c055207bfb5a4
-
SHA512
5f6e72404362e6bed2a39a2ce7dbadb4dfbbf34636edb6624b3b9512d35570a955159621174f8fa1de794eef5507b1c4457ef40be123712c84cb5e6fba538328
-
SSDEEP
786432:BiIKtjXylNXspXclWQK1KDQXzTnHB35oQ9FeDym3yIZU:QLeJsSAlKWh35oQ9KVu
Behavioral task
behavioral1
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Command Reciever.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Command Reciever.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Resource/data.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Resource/data.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/HVNC-Server.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/HVNC-Server.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/ResHacker.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/ResHacker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/vncviewer.exe
Resource
win7-20240319-en
Behavioral task
behavioral10
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/vncviewer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XHVNC.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XHVNC.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Command Reciever.exe
-
Size
6.5MB
-
MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a
-
SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64
-
SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
-
SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
SSDEEP
98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L
Score1/10 -
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Resource/data.dat
-
Size
5.6MB
-
MD5
4054d1355f1d66ba8055391bb048053f
-
SHA1
cbe76f2523f66be0d1f9b6ec60b0b2fc6e8da990
-
SHA256
448ff3ccfbbbf2c72aa4ea12f72a116c173972d2fdc720bddd3a3ec542d0e8cd
-
SHA512
aaf76ca9240cebbc8163eec77f4fc6babb365bfd3235cb421611ca9f7fea4d593dfa2f50a2dcbc02133793a48d815a8349a69c6ba7961a79ff35a7dd6b795da0
-
SSDEEP
98304:Iwl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcZ6U:IbOuK6mn9NzgMoYkSIvUcwti7TQlvcio
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/HVNC-Server.exe
-
Size
112KB
-
MD5
2bc558b0cf60f8c5a17d16299e07a030
-
SHA1
9a6a53a088cdbab38201b11015e58aacb85e1dc6
-
SHA256
83178407d4761df1439304df2f08ec6df4e216986fab12590b6339186291b591
-
SHA512
21ed30fb07a670ca4cf44527d34d201735dac1a9c23e7cc709983c3dbff75cdeec8380c2fe795270fd77203fa9e59b34a324acdb0815c8654b819269e52d9ce8
-
SSDEEP
3072:cl/0Gw9hSR3UFqhHe9Z0SZDz4PUF8FaBh3:cl8GjtChHh3
Score1/10 -
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/ResHacker.exe
-
Size
1.0MB
-
MD5
d285a10c73da68b027951a2038a7ae0d
-
SHA1
e3e5712df92ed49d6cd429799e6e557af093da06
-
SHA256
aeeac91ca85c59309a8d6f7109a84e1ee6d4817498417373e7c3c93dac7bb1e5
-
SHA512
150b47f6b4ab2c33c818843ddf30562c85055c1be5bbda7bc347bf36116b4d8d8f7b78303342e9eb667facd37a841eb7d930de325f25d170b680e97f8dfed48e
-
SSDEEP
24576:XS9wlTzi2gQO1PMV2DCHAJ2glv9fJVOYfJSzaSArbz2jQOS/:C9ijgQO1PMDozYAPz2UN/
Score1/10 -
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/Tools/vncviewer.exe
-
Size
1.5MB
-
MD5
b8d15cd10f1e9ff6adeae64fbbeb755b
-
SHA1
f962549e42b58a056b11a9ba9750a30bc76844d7
-
SHA256
823168f7ff268a96aa80d915d946411ef214e7597c73312b19f9723d704b1396
-
SHA512
1478c76b08a8aa9cf9db927ea371c192ade81d8e27d394613f05aa60011fa8bc46ada115ab4c8c9aa75fcf86dbb62f7089a211f58270c984a204c91465cd07af
-
SSDEEP
24576:Jj/05kjHhc0Vo68/RWyVae30Zh6FSCTpf2kveQn5poM5lcOBo:JY5kdc0G68/RVoe3+MTZ2kFroM5lxBo
Score1/10 -
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XHVNC.exe
-
Size
1.9MB
-
MD5
4904329d091687c9deb08d9bd7282e77
-
SHA1
bcf7fcebb52cad605cb4de65bdd077e600475cc7
-
SHA256
e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
-
SHA512
b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
SSDEEP
24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr
Score7/10-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm-RAT-V2.1-XWorm/XWorm RAT V2.1/XWorm RAT V2.1.exe
-
Size
2.2MB
-
MD5
835f081566e31c989b525bccb943569c
-
SHA1
71d04e0a86ce9585e5b7a058beb0a43cf156a332
-
SHA256
ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
-
SHA512
9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
SSDEEP
49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-