xworm | af798e7c9e3ec896c9fc4891e128a5ef6035b027390320dd184d1dcef89ff470

General

Target

d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
Size

755KB
MD5

a8f5eb653b660a24e0a0017c684c1b96
SHA1

4b75c2c8dba5f4198873a8ed0e0c4d2bf146d881
SHA256

d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51
SHA512

0ff6026999fee1e6456a6557a82079a03622480edfd5aef9f7c1e3b03266a1e589fc4b3eb4568f3bec9f5f5f439f58aa313c8409241cbe4e1ffc1043c66a0b01
SSDEEP

12288:HwglEe171o1+1k155scBRTWgwxPzDnkbIStV4bkX7cst2Ket3D6ohYc8A4isx:CnNKkbI0NjKRs

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

dav12221.duckdns.org:7000

Mutex

VnoSv30JNEHEbKof

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2980-15-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2980-19-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2980-17-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2980-11-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2980-9-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28
PID 2728 wrote to memory of 2980	2728	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	28

C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
"C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
  "C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-0-0x0000000000AC0000-0x0000000000B84000-memory.dmp

Filesize
784KB

Download
memory/2728-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-2-0x00000000003E0000-0x000000000041E000-memory.dmp

Filesize
248KB

Download
memory/2728-3-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2728-4-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2728-20-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-21-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-22-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/2980-23-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-24-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing