asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

Analysis

max time kernel
1511s
max time network
1463s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

10^/10

asyncrat toxiceye def agilenet rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

win-xworm-builder.exewsappx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	win-xworm-builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wsappx.exe

Executes dropped EXE 3 IoCs

Processes:

win-xworm-builder.exewsappx.exesysfile32.exe

pid process

4836 win-xworm-builder.exe
1236 wsappx.exe
3272 sysfile32.exe
Loads dropped DLL 1 IoCs

Processes:

XHVNC.exe

pid process

2164 XHVNC.exe

pid	process
4836	win-xworm-builder.exe
1236	wsappx.exe
3272	sysfile32.exe

pid	process
2164	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2164-411-0x00000000066F0000-0x0000000006914000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

79 raw.githubusercontent.com
81 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

220 schtasks.exe
4696 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1504 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3268 tasklist.exe

flow	ioc
79	raw.githubusercontent.com
81	raw.githubusercontent.com

pid	process
220	schtasks.exe
4696	schtasks.exe

pid	process
1504	timeout.exe

pid	process
3268	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exednlib.exewsappx.exeDisAsClaimer.exe

pid	process
3856	msedge.exe
3856	msedge.exe
1372	msedge.exe
1372	msedge.exe
688	identity_helper.exe
688	identity_helper.exe
4440	msedge.exe
4440	msedge.exe
4840	dnlib.exe
4840	dnlib.exe
1236	wsappx.exe
1236	wsappx.exe
1236	wsappx.exe
1236	wsappx.exe
1236	wsappx.exe
1512	DisAsClaimer.exe
1512	DisAsClaimer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

XHVNC.exe

pid process

2164 XHVNC.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe

pid	process
2164	XHVNC.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

XWorm-RAT-V2.1-builder.exewin-xworm-builder.exetasklist.exewsappx.exednlib.exeDisAsClaimer.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4684	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	4836	win-xworm-builder.exe
Token: SeDebugPrivilege	3268	tasklist.exe
Token: SeDebugPrivilege	1236	wsappx.exe
Token: SeDebugPrivilege	4840	dnlib.exe
Token: SeDebugPrivilege	1512	DisAsClaimer.exe
Token: SeManageVolumePrivilege	3584	svchost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exeXHVNC.exe

pid	process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
2164	XHVNC.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

wsappx.exeXHVNC.exe

pid process

1236 wsappx.exe
2164 XHVNC.exe
2164 XHVNC.exe

pid	process
1236	wsappx.exe
2164	XHVNC.exe
2164	XHVNC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1372 wrote to memory of 4600	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4600	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3288	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3856	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3856	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 4204	1372	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb32c46f8,0x7fffb32c4708,0x7fffb32c4718
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:4700

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat
    3⤵
    PID:4216
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4836"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:5100
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1504
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1236
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4696

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
- C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
  "C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"
  2⤵
  - Executes dropped EXE
  PID:3272

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:3728

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2e783cc7-5108-4bc6-bb47-2d50998b07f6.tmp

Filesize
11KB

MD5
12898332fe5f9fb9788a338cb42b2b6e

SHA1
dce87ad4a993b2d7b1c9c9690b3ef8babec83d01

SHA256
75e7460a015f409a26d1a166f46d75153a4308948ef6e048d97f1a5b20b4e2e9

SHA512
93d39f2714c8cab7c4f7aa7ffd27bb699c270a70ea18966bcedb03f3692bcded4c44a3bc2e4ba6388329a26683d1e0379abeac15683b81769428acb588eeb291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1ff784b84c22c16e60a15afae76f525f

SHA1
273a8d6ccfe799d4e29d18d746d709090f954848

SHA256
c38a32ba126c9fa77551ffbde892e0e120f3252756e5a6ed74974c179b39a6d0

SHA512
9e3206562c4c24443721bf683d6c683342b2c3333cc361d787f403e9b07d5427ce8f7c4eae5c17d3ba4e85bd8e085b94da5e523a1c235e534ff0560ba1939ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
773fb4b4aee1fc711996decf4d943b6d

SHA1
5a0ff39895150d79afc75d6bb870eaf2a7411555

SHA256
bf2541e5f818c85e94f249780776e0d5b6a4aafffc8ce5e97dc82070bebe30b9

SHA512
7c55dc4ab11ace2db228705f5f4115ec5d3f42c80cbc9e31049bdbf657eb4e966335ef8899534bf449bf62aaf1a4bac9f52e92264323f0fbaab4de82c88aeee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60416d497f5ff7b802567978067652b4

SHA1
2f164bb5bef671010d729d4c6eb886ee22d6c360

SHA256
1e4c7979c91371d205c0ad57cbaa47c742e6c078a31ae42051c783d1feab4e96

SHA512
cb1516f600b3bd141b4eec4da14f2c504e2f2ced512daa66099e8e48d4d74b847a0747301ff4505305f1f77e2c192a5c6e0b36bd59f9c420b2ea44b0155f2dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d6871fc74bc8be4d377fcf63d78df28

SHA1
c9bcedfff16b6936e7a201e72eecb096efb8f6a5

SHA256
cc0d2acf9aa844295e563826e7c7188e5c541a5e8b5a8b99c615849080bf6a1c

SHA512
7a692a59a74c58c05ce23e6114f93a5b204af2023ebe68478bfc612fa916f5c3367f0110e730407e4f33ff7f35f9ade6bbf5e3174ffac98f5c7b28ca874a2695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb96a08207281f989b7fc4e88b9ffb13

SHA1
32d581c4f96afc9cd5513436086958e054449f8e

SHA256
9e5072dfb4c514c0f698265bc103d0d2c6c125a22d4cd416e768c0a5e8fa5245

SHA512
3faf174a5c0632e78f23883f26db28f2d96fa605c60ee5e17a30f68e92cfb5a2e60c324206064ce349a0b745d9c7f842076064058a8c2421469c2e68c09d4096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d4713a7c22540a927a2b16cdea250dd

SHA1
af8bfef8883c683e1a2c0d3e3960b5eaa21be01a

SHA256
ead51f9a0c85280a8d58702258c0bcd00a452e6216414077fa0cf9d1becfc787

SHA512
255c796e50ad4ede4d08d6273f5a59823030e86da63f1dee1808a619d41e4b2b31d0ea952022e482366a59f747b7278763ebb8f1a7a038b845234bff991ceaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd4c156a-80b9-47d0-b8f6-826d47e96487.tmp

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0dd810291c4e88f30fd5a041b049c80e

SHA1
1630b9c72a4e4c1a873a52b5989b07ebf8b2161f

SHA256
1a424d66488280dd69f52a67dcf2e1d9f1b58512a3477613669ad6a56623e207

SHA512
569fc93046dbf7a343355e210a90a1ae7008f433b4d92d42a2ba54766aafec0f5e3d9df76a3a64908129c8422061ce1207dfdac9c5dc3f0f69ead0d7ab5d585b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73867d42751a4292298c393a58e8624d

SHA1
b404584e8cd9c77809e1b313a6d3158491cab71e

SHA256
2f8aff4fca98e8b9b9c69eb7fee70a67354855d77aef7d3255bfd509d28527e9

SHA512
98d7804c88d9b58ba66a679679dacbb7b6bd08529609d467c05d19c031c11d07a01c9f920ae70f62894874b33b99810b310dc7913370a17112d713476f793daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tx0f34oq.zot.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe

Filesize
52KB

MD5
0c2d61d64f4325ca752202e5bf792e9e

SHA1
e7655910a124dd10beb774a693f7caccf849b438

SHA256
d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

SHA512
1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat

Filesize
195B

MD5
eb2d3445c311dfbef301d1713cb9a427

SHA1
e754210f36462de2552b43fd83597f9dce3fddb6

SHA256
823642afbe54828820a8020b56b2cfcdb32a2e4e29f8bfa88914540912722e9b

SHA512
f4df13720e495e8b9a1ee162b52bd72cb5fff6fdf89cdaab851dbbe03e93820e27fe3b5494da2e6c23fa1622845b99dec20b6cfc9a2934c903ed401639859c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
\??\pipe\LOCAL\crashpad_1372_TUVZTBMYIQMDRPQA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1236-258-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/1236-243-0x000002905BAD0000-0x000002905BAE0000-memory.dmp

Filesize
64KB

Download
memory/1236-242-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-291-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-278-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/1512-288-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-289-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/2164-409-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-403-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/2164-430-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/2164-428-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-427-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-426-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-425-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/2164-421-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-420-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2164-419-0x0000000073860000-0x00000000738E9000-memory.dmp

Filesize
548KB

Download
memory/2164-411-0x00000000066F0000-0x0000000006914000-memory.dmp

Filesize
2.1MB

Download
memory/2164-410-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/2164-408-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/2164-407-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/2164-406-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/2164-405-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/2164-404-0x00000000009A0000-0x0000000000B8A000-memory.dmp

Filesize
1.9MB

Download
memory/3272-274-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/3272-292-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/3272-271-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/3584-447-0x000001AD7FA40000-0x000001AD7FA50000-memory.dmp

Filesize
64KB

Download
memory/3584-465-0x000001AD7FD90000-0x000001AD7FD91000-memory.dmp

Filesize
4KB

Download
memory/3584-431-0x000001AD7F940000-0x000001AD7F950000-memory.dmp

Filesize
64KB

Download
memory/3584-467-0x000001AD7FEA0000-0x000001AD7FEA1000-memory.dmp

Filesize
4KB

Download
memory/3584-463-0x000001AD7FD60000-0x000001AD7FD61000-memory.dmp

Filesize
4KB

Download
memory/3584-466-0x000001AD7FD90000-0x000001AD7FD91000-memory.dmp

Filesize
4KB

Download
memory/3728-424-0x00007FFFA4020000-0x00007FFFA4AE1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-423-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/3728-422-0x00007FFFA4020000-0x00007FFFA4AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-223-0x0000025B52BC0000-0x0000025B52BCA000-memory.dmp

Filesize
40KB

Download
memory/4684-205-0x0000025B38300000-0x0000025B3863E000-memory.dmp

Filesize
3.2MB

Download
memory/4684-219-0x0000025B52B40000-0x0000025B52B60000-memory.dmp

Filesize
128KB

Download
memory/4684-208-0x0000025B52C20000-0x0000025B52C30000-memory.dmp

Filesize
64KB

Download
memory/4684-206-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-224-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-199-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/4700-202-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-200-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-201-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/4836-220-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-222-0x000001CF528A0000-0x000001CF528B0000-memory.dmp

Filesize
64KB

Download
memory/4836-221-0x000001CF38180000-0x000001CF3824C000-memory.dmp

Filesize
816KB

Download
memory/4836-228-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-244-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/4840-254-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-255-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/4840-256-0x0000000002C20000-0x0000000002C42000-memory.dmp

Filesize
136KB

Download
memory/4840-272-0x00007FFF9F900000-0x00007FFFA03C1000-memory.dmp

Filesize
10.8MB

Download