xworm

Sharing

Copy URL

Twitter E-mail

General

Target

C437rPSQNVzgjPbIKiUZsEqostl9FnPve5mDqEpa.zip
Size

66.1MB
Sample

240427-k6qx1sga8y
MD5

6c6cf43a66079c890cc9dd419efeae4f
SHA1

9675f1b6460cb16ea766335b83465b358255ee62
SHA256

8117e22fbace37f3ed1dfdcc6567e655619970990acd0df94bd83996a7bdc957
SHA512

1896eb26337ea92ee931a26c5d13e03df77a3a88deb1b5055aca158c3c0f8e74ed535e2790c7ec305335f6bd473c4dacb3cdb4ae1b661601b7f6389271bb4523
SSDEEP

1572864:mJVa7OvQzyw/liz3XkU+G7Ayf7EfuqDDadM14ygCzEg6ZS80h//:tOvQzywEzX55fksCAgsS8a//

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/z5PQ82wE

Targets

- Target
  
  Krampus/B1OdUv8CBH.exe
- Size
  
  1.0MB
- MD5
  
  73a20ee98214059033a93ff5da62d903
- SHA1
  
  a35422a4969f7d79fc9cf597cf40b7456d5b05d8
- SHA256
  
  5df7cf7c7d153a0e55b0ca9299d00c26625e70cff3613540c5718fe74e4c7d12
- SHA512
  
  7c3b08ebbc57467aa3615b14d7ea6f629e03e49c17d6268f62345cc58f4ca9823e45ef101c1e247db354ca944481470f94f9c226bc7774f78da9ad0185a76b47
- SSDEEP
  
  1536:ZAiYlXZeFi9eKNVlb8i7ZUNQmD4O+HoddUT:anpo2Xb8C8D4OUoET
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Krampus/ONLY RUN THIS IF IT DOESNT OPEN.exe
- Size
  
  65.8MB
- MD5
  
  7843ebba5f00c26945ffc032e71a4163
- SHA1
  
  d0911a0e6e382cac3a3222bb587e29a9ce693d2d
- SHA256
  
  fe114a523c18b9272554ededc7cb031b3aaf4dde03c6fbbe0ef3ce4b26f1211e
- SHA512
  
  9b416f7f8eabffd377540deb558efcee8df4d1a6d12b2df2d48a23717cfe4b3aee842d6ec3d3e3e461508b31c1317df80251fd157f13111a7528f57000ecb3ff
- SSDEEP
  
  1572864:9rziNx5qvoWg1ohltSg0eD0ApfkxUAv/iryZwOcS/QW956EiPc7:Yx5qvoWR/tJLD0ASoWr6EUc7
Score

7^/10

persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- An obfuscated cmd.exe command-line is typically used to evade detection.
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StdUtils.dll
- Size
  
  100KB
- MD5
  
  c6a6e03f77c313b267498515488c5740
- SHA1
  
  3d49fc2784b9450962ed6b82b46e9c3c957d7c15
- SHA256
  
  b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
- SHA512
  
  9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
- SSDEEP
  
  3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral7 behavioral8
- Target
  
  Bloxtrap.exe
- Size
  
  154.5MB
- MD5
  
  0daf58dbc703cbe8e60639216cc04798
- SHA1
  
  26ef3e3ad52f9efb1a3f172f537ec48ee24fbedc
- SHA256
  
  920bffc0ec1e85fbab67c59f83f8a673ab8ed764b0ea3cc92e4bc7665e040bbf
- SHA512
  
  fa48d615524827ef598f6e432080ed35f824de3d56e8f6b9ed853d6caf1848580e503209b1002f2c7b666734ad08a17c9e705be8029afe900793d8288b32b437
- SSDEEP
  
  1572864:2CquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:MDAgZi
Score

7^/10

persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- An obfuscated cmd.exe command-line is typically used to evade detection.
behavioral10 behavioral9
- Target
  
  LICENSES.chromium.html
- Size
  
  6.5MB
- MD5
  
  180f8acc70405077badc751453d13625
- SHA1
  
  35dc54acad60a98aeec47c7ade3e6a8c81f06883
- SHA256
  
  0bfa9a636e722107b6192ff35c365d963a54e1de8a09c8157680e8d0fbbfba1c
- SHA512
  
  40d3358b35eb0445127c70deb0cb87ec1313eca285307cda168605a4fd3d558b4be9eb24a59568eca9ee1f761e578c39b2def63ad48e40d31958db82f128e0ec
- SSDEEP
  
  24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj
Score

1^/10
behavioral11 behavioral12
- Target
  
  d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  cb9807f6cf55ad799e920b7e0f97df99
- SHA1
  
  bb76012ded5acd103adad49436612d073d159b29
- SHA256
  
  5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
- SHA512
  
  f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62
- SSDEEP
  
  49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8cc:oy904wYbZCoOI85oyI
Score

1^/10
behavioral13
- Target
  
  ffmpeg.dll
- Size
  
  2.7MB
- MD5
  
  d49e7a8f096ad4722bd0f6963e0efc08
- SHA1
  
  6835f12391023c0c7e3c8cc37b0496e3a93a5985
- SHA256
  
  f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014
- SHA512
  
  ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575
- SSDEEP
  
  49152:XMoI7Qj3trgDtcfkW76fSL5Yqq6uthy4Y6NO8PyJegPTagrcjdiCOi2iNN3lzl3U:H3Kk76fUq/4TagreBOirnW
Score

1^/10
behavioral14 behavioral15
- Target
  
  libEGL.dll
- Size
  
  468KB
- MD5
  
  09134e6b407083baaedf9a8c0bce68f2
- SHA1
  
  8847344cceeab35c1cdf8637af9bd59671b4e97d
- SHA256
  
  d2107ba0f4e28e35b22837c3982e53784d15348795b399ad6292d0f727986577
- SHA512
  
  6ff3adcb8be48d0b505a3c44e6550d30a8feaf4aa108982a7992ed1820c06f49e0ad48d9bd92685fb82783dfd643629bd1fe4073300b61346b63320cbdb051ba
- SSDEEP
  
  12288:su0LAjbIkyVVR8O9v/6TiT5eU3axzvYwo:sub49/6TiQzvYX
Score

1^/10
behavioral16 behavioral17
- Target
  
  libGLESv2.dll
- Size
  
  7.2MB
- MD5
  
  a5f1921e6dcde9eaf42e2ccc82b3d353
- SHA1
  
  1f6f4df99ae475acec4a7d3910badb26c15919d1
- SHA256
  
  50c4dc73d69b6c0189eab56d27470ee15f99bbbc12bfd87ebe9963a7f9ba404e
- SHA512
  
  0c24ae7d75404adf8682868d0ebf05f02bbf603f7ddd177cf2af5726802d0a5afcf539dc5d68e10dab3fcfba58903871c9c81054560cf08799af1cc88f33c702
- SSDEEP
  
  98304:BuT3g23jeZ/02YPuLaw5RoD1rfEQ3CPdOEabcgsOMdi:BuDPTwLap14QzEijsvi
Score

1^/10
behavioral18 behavioral19
- Target
  
  resources/elevate.exe
- Size
  
  105KB
- MD5
  
  792b92c8ad13c46f27c7ced0810694df
- SHA1
  
  d8d449b92de20a57df722df46435ba4553ecc802
- SHA256
  
  9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
- SHA512
  
  6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
- SSDEEP
  
  3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
Score

1^/10
behavioral20 behavioral21
- Target
  
  vk_swiftshader.dll
- Size
  
  5.0MB
- MD5
  
  a0845e0774702da9550222ab1b4fded7
- SHA1
  
  65d5bd6c64090f0774fd0a4c9b215a868b48e19b
- SHA256
  
  6150a413ebe00f92f38737bdccf493d19921ef6329fcd48e53de9dbde4780810
- SHA512
  
  4be0cb1e3c942a1695bae7b45d21c5f70e407132ecc65efb5b085a50cdab3c33c26e90bd7c86198ec40fb2b18d026474b6c649776a3ca2ca5bff6f922de2319b
- SSDEEP
  
  49152:tG7ixZvPbWjIXTFy1RYQZHJvuZBiDTwgvsrt5/PXd0kpmaN+WUf4CvB25zT7RCAq:c7iDPqjvzO1Lhgf49zT7grg4
Score

1^/10
behavioral22 behavioral23
- Target
  
  vulkan-1.dll
- Size
  
  899KB
- MD5
  
  0e4e0f481b261ea59f196e5076025f77
- SHA1
  
  c73c1f33b5b42e9d67d819226db69e60d2262d7b
- SHA256
  
  f681844896c084d2140ac210a974d8db099138fe75edb4df80e233d4b287196a
- SHA512
  
  e6127d778ec73acbeb182d42e5cf36c8da76448fbdab49971de88ec4eb13ce63140a2a83fc3a1b116e41f87508ff546c0d7c042b8f4cdd9e07963801f3156ba2
- SSDEEP
  
  24576:PR9nl1crwjLAQw6Z5WUDYsH56g3P0zAk7:PR1l1culw6Z5WUDYsH56g3P0zAk7
Score

1^/10
behavioral24 behavioral25
- Target
  
  $PLUGINSDIR/nsis7z.dll
- Size
  
  424KB
- MD5
  
  80e44ce4895304c6a3a831310fbf8cd0
- SHA1
  
  36bd49ae21c460be5753a904b4501f1abca53508
- SHA256
  
  b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
- SHA512
  
  c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df
- SSDEEP
  
  6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck
Score

3^/10
behavioral26 behavioral27

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

An obfuscated cmd.exe command-line is typically used to evade detection.

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

An obfuscated cmd.exe command-line is typically used to evade detection.

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27