Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
01-05-2024 15:42
General
-
Target
XWorm-RAT-V2.1-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
-
Size
2.2MB
-
MD5
835f081566e31c989b525bccb943569c
-
SHA1
71d04e0a86ce9585e5b7a058beb0a43cf156a332
-
SHA256
ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
-
SHA512
9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
SSDEEP
49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1572"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":"4⤵
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exeFilesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dllFilesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp.batFilesize
290B
MD5b20cb957e0b7af7a53f193d0ad76374a
SHA172aac95a4057369c7497f2830ed6ac10bb91e0a2
SHA256ce5f22422ecd5c417858b933ec208468bc93ae0270c263321bb3502737836fbb
SHA512c7b05aaf596389215b59ab06cbe9518f7b1dde5be7a695f966dec40fa9c417ebae40e34e0a1fed88d7e985480041f3d85ea9d1ddb50d274ee42799854632fdbd
-
memory/404-0-0x000000007431E000-0x000000007431F000-memory.dmpFilesize
4KB
-
memory/404-1-0x0000000000830000-0x0000000000A72000-memory.dmpFilesize
2.3MB
-
memory/404-2-0x0000000005B30000-0x00000000060D6000-memory.dmpFilesize
5.6MB
-
memory/412-46-0x0000025AEC8B0000-0x0000025AEC8D2000-memory.dmpFilesize
136KB
-
memory/412-67-0x0000025AED520000-0x0000025AED532000-memory.dmpFilesize
72KB
-
memory/412-48-0x0000025AEC8E0000-0x0000025AEC91A000-memory.dmpFilesize
232KB
-
memory/412-139-0x0000025AEDAF0000-0x0000025AEDB9A000-memory.dmpFilesize
680KB
-
memory/412-45-0x0000025AEC860000-0x0000025AEC8B0000-memory.dmpFilesize
320KB
-
memory/412-44-0x0000025AEC760000-0x0000025AEC812000-memory.dmpFilesize
712KB
-
memory/412-42-0x0000025AEC4F0000-0x0000025AEC55A000-memory.dmpFilesize
424KB
-
memory/412-49-0x0000025AEC810000-0x0000025AEC836000-memory.dmpFilesize
152KB
-
memory/412-41-0x0000025AD2DA0000-0x0000025AD2DAA000-memory.dmpFilesize
40KB
-
memory/412-72-0x0000025AED640000-0x0000025AED7F3000-memory.dmpFilesize
1.7MB
-
memory/1360-12-0x0000000074310000-0x0000000074AC1000-memory.dmpFilesize
7.7MB
-
memory/1360-31-0x0000000006E70000-0x0000000006ED6000-memory.dmpFilesize
408KB
-
memory/1360-71-0x0000000074310000-0x0000000074AC1000-memory.dmpFilesize
7.7MB
-
memory/1360-73-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/1360-22-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/1360-23-0x0000000005290000-0x00000000052E6000-memory.dmpFilesize
344KB
-
memory/1360-21-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/1360-18-0x00000000051F0000-0x0000000005282000-memory.dmpFilesize
584KB
-
memory/1360-15-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/1360-11-0x00000000000B0000-0x0000000000742000-memory.dmpFilesize
6.6MB
-
memory/1572-19-0x00007FFDFBE43000-0x00007FFDFBE45000-memory.dmpFilesize
8KB
-
memory/1572-30-0x000002187F680000-0x000002187F69E000-memory.dmpFilesize
120KB
-
memory/1572-29-0x000002181A1D0000-0x000002181A1E0000-memory.dmpFilesize
64KB
-
memory/1572-28-0x000002187F790000-0x000002187F806000-memory.dmpFilesize
472KB
-
memory/1572-20-0x000002187ED70000-0x000002187F310000-memory.dmpFilesize
5.6MB