xworm | 7f00e48b3dbd744ca6daf1f62bf29434ff89215ac8a01b9c89496c4a5f57bab0

General

Target

XClient.exe
Size

38KB
MD5

8de16a101c26eb3def9de0a4c1ed92e6
SHA1

73a697ba5553b46c7b24439eb29e1d208d9efb42
SHA256

7f00e48b3dbd744ca6daf1f62bf29434ff89215ac8a01b9c89496c4a5f57bab0
SHA512

c5fce2d9e68183cc3f2b8fb63dde45eaa8c0201927595b193cb754ed9aaa3d40319a0ae6a6e6d0d2f49fb8363b9d427dc297820c144c3cffd3d8041d256359dc
SSDEEP

768:gjElHydACVE2rOnS7q1vFu1Fu96HOfhpDEi:h8B5CSGvF4Fu96HOfIi

Score

10^/10

xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

h2cker.ddns.net:194

Mutex

JGTzs3YgAF2Db8Mc

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3484-0-0x0000000000330000-0x0000000000340000-memory.dmp	family_xworm
behavioral1/files/0x000a00000001ab62-7.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 1 IoCs

pid	Process
652	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
3484	XClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4536	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1880	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	XClient.exe
Token: SeDebugPrivilege	652	XClient.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4536	3484	XClient.exe	74
PID 3484 wrote to memory of 4536	3484	XClient.exe	74
PID 3484 wrote to memory of 2172	3484	XClient.exe	77
PID 3484 wrote to memory of 2172	3484	XClient.exe	77
PID 3484 wrote to memory of 1620	3484	XClient.exe	79
PID 3484 wrote to memory of 1620	3484	XClient.exe	79
PID 1620 wrote to memory of 1880	1620	cmd.exe	81
PID 1620 wrote to memory of 1880	1620	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4536
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp603D.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1880

C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XClient.exe

Filesize
38KB

MD5
8de16a101c26eb3def9de0a4c1ed92e6

SHA1
73a697ba5553b46c7b24439eb29e1d208d9efb42

SHA256
7f00e48b3dbd744ca6daf1f62bf29434ff89215ac8a01b9c89496c4a5f57bab0

SHA512
c5fce2d9e68183cc3f2b8fb63dde45eaa8c0201927595b193cb754ed9aaa3d40319a0ae6a6e6d0d2f49fb8363b9d427dc297820c144c3cffd3d8041d256359dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp603D.tmp.bat

Filesize
159B

MD5
fa2b0f3d183303b607e6b7344ebd2682

SHA1
bde0da100717a875e3b7eb399ef77f9a9a9d3cd4

SHA256
a7eb4f7160f1f7ef448da758c7a414059c454f1a6e08d5144a392aea1e6b7874

SHA512
b28027a90692ab3857ffc6004c020ca27e6c8ccde25b31cf59e2abc79ec7dda2f2621a8f5db5d46bbf2a4eaa8b013d521a2a8602da0efade6ad644feadd67889

Download Submit
\Users\Admin\AppData\Local\Temp\tmpC999.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/652-11-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/652-9-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-0-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/3484-12-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-13-0x000000001C100000-0x000000001C13A000-memory.dmp

Filesize
232KB

Download
memory/3484-6-0x000000001C580000-0x000000001C58A000-memory.dmp

Filesize
40KB

Download
memory/3484-18-0x000000001AF50000-0x000000001AF60000-memory.dmp

Filesize
64KB

Download
memory/3484-19-0x000000001BA90000-0x000000001BB12000-memory.dmp

Filesize
520KB

Download
memory/3484-2-0x000000001AF50000-0x000000001AF60000-memory.dmp

Filesize
64KB

Download
memory/3484-23-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-1-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads