Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-05-2024 15:42
Behavioral task
behavioral1
Sample
XWorm-RAT-V2.1-main.zip
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
XWorm-RAT-V2.1-main/XWorm RAT V2.1/Command Reciever.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
XWorm-RAT-V2.1-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win11-20240426-en
General
-
Target
XWorm-RAT-V2.1-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
-
Size
2.2MB
-
MD5
835f081566e31c989b525bccb943569c
-
SHA1
71d04e0a86ce9585e5b7a058beb0a43cf156a332
-
SHA256
ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
-
SHA512
9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
SSDEEP
49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Command Reciever.exeUpdate.exepid process 1572 Command Reciever.exe 412 Update.exe -
Loads dropped DLL 2 IoCs
Processes:
Command Reciever.exeUpdate.exepid process 1572 Command Reciever.exe 412 Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogger\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 3 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Update.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3268 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Command Reciever.exeUpdate.exepid process 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 1572 Command Reciever.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe 412 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Command Reciever.exetasklist.exeUpdate.exedescription pid process Token: SeDebugPrivilege 1572 Command Reciever.exe Token: SeDebugPrivilege 2256 tasklist.exe Token: SeDebugPrivilege 412 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Update.exepid process 412 Update.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
XWorm RAT V2.1.exeCommand Reciever.execmd.exeUpdate.execmd.exedescription pid process target process PID 404 wrote to memory of 1360 404 XWorm RAT V2.1.exe Command Reciever.exe PID 404 wrote to memory of 1360 404 XWorm RAT V2.1.exe Command Reciever.exe PID 404 wrote to memory of 1360 404 XWorm RAT V2.1.exe Command Reciever.exe PID 404 wrote to memory of 1572 404 XWorm RAT V2.1.exe Command Reciever.exe PID 404 wrote to memory of 1572 404 XWorm RAT V2.1.exe Command Reciever.exe PID 1572 wrote to memory of 4956 1572 Command Reciever.exe cmd.exe PID 1572 wrote to memory of 4956 1572 Command Reciever.exe cmd.exe PID 4956 wrote to memory of 2256 4956 cmd.exe tasklist.exe PID 4956 wrote to memory of 2256 4956 cmd.exe tasklist.exe PID 4956 wrote to memory of 4996 4956 cmd.exe find.exe PID 4956 wrote to memory of 4996 4956 cmd.exe find.exe PID 4956 wrote to memory of 3268 4956 cmd.exe timeout.exe PID 4956 wrote to memory of 3268 4956 cmd.exe timeout.exe PID 4956 wrote to memory of 412 4956 cmd.exe Update.exe PID 4956 wrote to memory of 412 4956 cmd.exe Update.exe PID 412 wrote to memory of 4180 412 Update.exe cmd.exe PID 412 wrote to memory of 4180 412 Update.exe cmd.exe PID 4180 wrote to memory of 2384 4180 cmd.exe reg.exe PID 4180 wrote to memory of 2384 4180 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1572"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":"4⤵
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exeFilesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dllFilesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.batFilesize
290B
MD5b20cb957e0b7af7a53f193d0ad76374a
SHA172aac95a4057369c7497f2830ed6ac10bb91e0a2
SHA256ce5f22422ecd5c417858b933ec208468bc93ae0270c263321bb3502737836fbb
SHA512c7b05aaf596389215b59ab06cbe9518f7b1dde5be7a695f966dec40fa9c417ebae40e34e0a1fed88d7e985480041f3d85ea9d1ddb50d274ee42799854632fdbd
-
memory/404-0-0x000000007431E000-0x000000007431F000-memory.dmpFilesize
4KB
-
memory/404-1-0x0000000000830000-0x0000000000A72000-memory.dmpFilesize
2.3MB
-
memory/404-2-0x0000000005B30000-0x00000000060D6000-memory.dmpFilesize
5.6MB
-
memory/412-46-0x0000025AEC8B0000-0x0000025AEC8D2000-memory.dmpFilesize
136KB
-
memory/412-67-0x0000025AED520000-0x0000025AED532000-memory.dmpFilesize
72KB
-
memory/412-48-0x0000025AEC8E0000-0x0000025AEC91A000-memory.dmpFilesize
232KB
-
memory/412-139-0x0000025AEDAF0000-0x0000025AEDB9A000-memory.dmpFilesize
680KB
-
memory/412-45-0x0000025AEC860000-0x0000025AEC8B0000-memory.dmpFilesize
320KB
-
memory/412-44-0x0000025AEC760000-0x0000025AEC812000-memory.dmpFilesize
712KB
-
memory/412-42-0x0000025AEC4F0000-0x0000025AEC55A000-memory.dmpFilesize
424KB
-
memory/412-49-0x0000025AEC810000-0x0000025AEC836000-memory.dmpFilesize
152KB
-
memory/412-41-0x0000025AD2DA0000-0x0000025AD2DAA000-memory.dmpFilesize
40KB
-
memory/412-72-0x0000025AED640000-0x0000025AED7F3000-memory.dmpFilesize
1.7MB
-
memory/1360-12-0x0000000074310000-0x0000000074AC1000-memory.dmpFilesize
7.7MB
-
memory/1360-31-0x0000000006E70000-0x0000000006ED6000-memory.dmpFilesize
408KB
-
memory/1360-71-0x0000000074310000-0x0000000074AC1000-memory.dmpFilesize
7.7MB
-
memory/1360-73-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/1360-22-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/1360-23-0x0000000005290000-0x00000000052E6000-memory.dmpFilesize
344KB
-
memory/1360-21-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/1360-18-0x00000000051F0000-0x0000000005282000-memory.dmpFilesize
584KB
-
memory/1360-15-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/1360-11-0x00000000000B0000-0x0000000000742000-memory.dmpFilesize
6.6MB
-
memory/1572-19-0x00007FFDFBE43000-0x00007FFDFBE45000-memory.dmpFilesize
8KB
-
memory/1572-30-0x000002187F680000-0x000002187F69E000-memory.dmpFilesize
120KB
-
memory/1572-29-0x000002181A1D0000-0x000002181A1E0000-memory.dmpFilesize
64KB
-
memory/1572-28-0x000002187F790000-0x000002187F806000-memory.dmpFilesize
472KB
-
memory/1572-20-0x000002187ED70000-0x000002187F310000-memory.dmpFilesize
5.6MB