xworm | 9f48bafc8116d691886054d64bd81dd84cf5114c84b72eb7ffcf8b9bac4341b4

General

Target

XBinderOutput.exe
Size

81KB
MD5

6a473a6fbeda2aa9557f5fb7eab5c9c6
SHA1

eb79bcf494c6cc5852b2439bc7ecdf04adf92b4e
SHA256

9f48bafc8116d691886054d64bd81dd84cf5114c84b72eb7ffcf8b9bac4341b4
SHA512

8a8fa406029ccd61907ad9cb18d9333c067eea2d81dbe079d658c8e3533e401027de95c1c77afe09b6d55695438e01a6dd677f14b94bb490bad51f959b3e5fbf
SSDEEP

1536:IzJVjzYoptrwvJBDrqiYQ9SZxlc9lQPykpl6VPM/qy:kyoptk/qcgc9+aQ6hu

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

million-houston.gl.at.ply.gg:27705

Attributes

Install_directory
%AppData%
install_file
BloxstrapModded.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/2660-18-0x0000000000BA0000-0x0000000000BBA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 2 IoCs

Processes:

BloxstrapModded.exeXClient.exe

pid process

2204 BloxstrapModded.exe
2660 XClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3004 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClient.exe

description pid process

Token: SeDebugPrivilege 2660 XClient.exe

pid	process
2204	BloxstrapModded.exe
2660	XClient.exe

pid	process
3004	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	2660	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

XBinderOutput.exeBloxstrapModded.exe

description	pid	process	target process
PID 2120 wrote to memory of 2204	2120	XBinderOutput.exe	BloxstrapModded.exe
PID 2120 wrote to memory of 2204	2120	XBinderOutput.exe	BloxstrapModded.exe
PID 2120 wrote to memory of 2204	2120	XBinderOutput.exe	BloxstrapModded.exe
PID 2204 wrote to memory of 2660	2204	BloxstrapModded.exe	XClient.exe
PID 2204 wrote to memory of 2660	2204	BloxstrapModded.exe	XClient.exe
PID 2204 wrote to memory of 2660	2204	BloxstrapModded.exe	XClient.exe
PID 2204 wrote to memory of 3004	2204	BloxstrapModded.exe	NOTEPAD.EXE
PID 2204 wrote to memory of 3004	2204	BloxstrapModded.exe	NOTEPAD.EXE
PID 2204 wrote to memory of 3004	2204	BloxstrapModded.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe
"C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3004

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BloxstrapModded.exe
Filesize
10.0MB

MD5
d4823d25c86c905b29ff3cd42127d5b3

SHA1
4380e4416b419f1bde9ee98c45b14fc7f29e8876

SHA256
71cc081cbe5e67b32b6b07ca8e63211610e6a52d477f8afc32521a0b1cfd1f45

SHA512
e9d12f0e1c4c2a434c6ec8a004d85141a6f6bc6a81179d7f9200d387a8f7031554615a39e33384694c2e8291ebab533c3c703d927498480078a87b6f49520152

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt
Filesize
438B

MD5
659061a5689cae197b49f62be53bcf40

SHA1
6467f2252645e7ce87932aad37e24a6eed3fefeb

SHA256
0ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c

SHA512
f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
80KB

MD5
cfeb71480542c9b6d6aec88f02e6d820

SHA1
4fcf90f5f8e16dcee2fa5ee1611394533f7ff740

SHA256
ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9

SHA512
e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd

Download Submit
memory/2120-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/2120-10-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-0-0x0000000001380000-0x000000000139A000-memory.dmp

Filesize
104KB

Download
memory/2204-9-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-13-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2204-8-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2204-21-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-18-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/2660-20-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing