xworm | c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 17:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ent.exe
Size

44KB
MD5

211661398474b9c96a1d704823d0e552
SHA1

5afcd1a87a69ea1c84a06fdf7079660133ceb28a
SHA256

c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd
SHA512

51717923b8d063874d5216db14adbe506826715773845c17961c5e52ed072380ea8b9b75d55559f855e6f42c35c8dd984c055eb3d1f7bec02c62463423c96666
SSDEEP

768:trlZa605WoOu+tpBERbGTHDUgkbZCfr2A33O3sh0l0E:tfq0u+tpKbAjXkbZCjjO3s60E

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/XzLzRHpk

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/2960-1-0x0000000000330000-0x0000000000342000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
1	pastebin.com
1	0.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	ent.exe

C:\Users\Admin\AppData\Local\Temp\ent.exe
"C:\Users\Admin\AppData\Local\Temp\ent.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

Network

DNS

pastebin.com

ent.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235
DNS

8.8.8.8.in-addr.arpa

ent.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

0.tcp.eu.ngrok.io

ent.exe

Remote address:

8.8.8.8:53

Request

0.tcp.eu.ngrok.io

IN A

Response

0.tcp.eu.ngrok.io

IN A

3.125.209.94
DNS

0.tcp.eu.ngrok.io

ent.exe

Remote address:

8.8.8.8:53

Request

0.tcp.eu.ngrok.io

IN A
GET

https://pastebin.com/raw/XzLzRHpk

ent.exe

Remote address:

104.20.3.235:443

Request

GET /raw/XzLzRHpk HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 03 May 2024 18:00:13 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 561
Last-Modified: Fri, 03 May 2024 17:50:52 GMT
Server: cloudflare
CF-RAY: 87e2263d7a10731a-LHR
DNS

235.3.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.3.20.104.in-addr.arpa

IN PTR

Response
DNS

94.209.125.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.209.125.3.in-addr.arpa

IN PTR

Response

94.209.125.3.in-addr.arpa

IN PTR

ec2-3-125-209-94eu-central-1compute amazonawscom
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.43
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdweu03.westeurope.cloudapp.azure.com

onedscolprdweu03.westeurope.cloudapp.azure.com

IN A

13.69.109.131
DNS

131.109.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.109.69.13.in-addr.arpa

IN PTR

Response

104.20.3.235:443

https://pastebin.com/raw/XzLzRHpk

tls, http

ent.exe

816 B
5.8kB
10
10

HTTP Request

GET https://pastebin.com/raw/XzLzRHpk

HTTP Response

200
3.125.209.94:14771

0.tcp.eu.ngrok.io

ent.exe

2.2kB
1.9kB
29
39

8.8.8.8:53

pastebin.com

dns

ent.exe

250 B
275 B
4
3

DNS Request

pastebin.com

DNS Response

104.20.3.235

172.67.19.24

104.20.4.235

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

0.tcp.eu.ngrok.io

DNS Request

0.tcp.eu.ngrok.io

DNS Response

3.125.209.94
8.8.8.8:53

235.3.20.104.in-addr.arpa

dns

438 B
912 B
6
6

DNS Request

235.3.20.104.in-addr.arpa

DNS Request

94.209.125.3.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.43

DNS Request

43.229.111.52.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

13.69.109.131

DNS Request

131.109.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2960-0-0x00007FFA13763000-0x00007FFA13765000-memory.dmp

Filesize
8KB

Download
memory/2960-1-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2960-2-0x00007FFA13760000-0x00007FFA14222000-memory.dmp

Filesize
10.8MB

Download
memory/2960-3-0x00007FFA13763000-0x00007FFA13765000-memory.dmp

Filesize
8KB

Download
memory/2960-4-0x00007FFA13760000-0x00007FFA14222000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.