xworm | 84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e

General

Target

84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe
Size

158KB
MD5

abf647d1e50b682d88d4ee16b0afc72e
SHA1

853b65eb86ed06df118a177cd0da8c50638f3526
SHA256

84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e
SHA512

81507bd213c149ab0c1b52357dd32f9f14f2899d9010edde97de28ed4ed7128ea6efae636cd1107091ebb30a2a5340b70e5e2c36b2caff5006662f7e0a4636ac
SSDEEP

3072:1BEvgSlqGS9m3xQyKNbWNV3qmyBeumLidmCHFF942OMpE:HV9m3xQyObW3qm7Li1lF9W

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:59677

18.ip.gl.ply.gg:59677

Mutex

Kv72aX1BpMulY2Js

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7160078752:AAE1D6c9WU5aRGG23wz5A9BmsKm2JVq2fmc/sendMessage?chat_id=5816848461

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x002a000000013a88-8.dat	family_xworm
behavioral1/memory/2184-12-0x0000000000400000-0x000000000042F000-memory.dmp	family_xworm
behavioral1/memory/2484-15-0x00000000003E0000-0x00000000003F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
2712	XWormLoader 5.2 x64.exe
2484	Xworm 5.2.exe

Loads dropped DLL 8 IoCs

pid	Process
2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe
2944	Process not Found
2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2432	powershell.exe
2640	powershell.exe
2484	Xworm 5.2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	Xworm 5.2.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2484	Xworm 5.2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	Xworm 5.2.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2712	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	28
PID 2184 wrote to memory of 2712	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	28
PID 2184 wrote to memory of 2712	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	28
PID 2184 wrote to memory of 2712	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	28
PID 2184 wrote to memory of 2484	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	30
PID 2184 wrote to memory of 2484	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	30
PID 2184 wrote to memory of 2484	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	30
PID 2184 wrote to memory of 2484	2184	84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe	30
PID 2712 wrote to memory of 2536	2712	XWormLoader 5.2 x64.exe	31
PID 2712 wrote to memory of 2536	2712	XWormLoader 5.2 x64.exe	31
PID 2712 wrote to memory of 2536	2712	XWormLoader 5.2 x64.exe	31
PID 2484 wrote to memory of 2432	2484	Xworm 5.2.exe	33
PID 2484 wrote to memory of 2432	2484	Xworm 5.2.exe	33
PID 2484 wrote to memory of 2432	2484	Xworm 5.2.exe	33
PID 2484 wrote to memory of 2640	2484	Xworm 5.2.exe	35
PID 2484 wrote to memory of 2640	2484	Xworm 5.2.exe	35
PID 2484 wrote to memory of 2640	2484	Xworm 5.2.exe	35

C:\Users\Admin\AppData\Local\Temp\84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe
"C:\Users\Admin\AppData\Local\Temp\84e6384504011a2bed10e8f0de02b54290da2a43e50dd9b8cb0cec57703ba00e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2712 -s 540
    3⤵
    - Loads dropped DLL
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\Xworm 5.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm 5.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm 5.2.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm 5.2.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d5d7ebacbae785ee043ab5565d3e3c11

SHA1
480a6214448df0668e95906810e183cf1549121d

SHA256
ab579db8ae7ae8e2895626aa899f1e2d385574631d5cf41daabfb8f4bc802ceb

SHA512
604a534d4d8415ffe4b0f72f630fd75c4f2772d9857eb9c53aa29427149599fc38747edfa2fb5dfb7d053de3afe2526ed85fd4aa0e843f4e9cd2bc045dae0c14

Download Submit
\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
\Users\Admin\AppData\Local\Temp\Xworm 5.2.exe

Filesize
40KB

MD5
3374d0d94a34b1c06d11145da771c3b6

SHA1
6b21b5f8b029c8ca61e5c6f1216b6eaf55f26162

SHA256
d74c1385631936ce53dc512c6534b1485f31738a1bd5c9f0b8c3281476a5b256

SHA512
130e92f36a0a69e59bffcebc78eb81d88dc0d6d5bb5239e29b64a43ae9ff18377c56148badf765ec78ea193b84ecd471f8218f714449317fe81dc3245f210ded

Download Submit
memory/2184-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-25-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2432-26-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2484-15-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2640-32-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2640-33-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2712-14-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing