xworm | 13cee60c3b7075748252bda9170f1ef4bf89aa7a051669f4a359f65cfa59f7fc

General

Target

2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
Size

11.8MB
MD5

13510ee957b93e9bc0d5f5f1ea2e981f
SHA1

befa9cebba6fb51d96543a079cfbb9fc08cd4dde
SHA256

13cee60c3b7075748252bda9170f1ef4bf89aa7a051669f4a359f65cfa59f7fc
SHA512

835e72432560d08d71abfe544ac712fc9c32d5d36185dff9b6282833f681237dc707889f7f93df58467a4402ee7a50522a2f46a3361e70be2ea521883c1b80f2
SSDEEP

196608:d/1NeAhlsGbOd4TPgUwrOZA0TQWKzpKhS/:dje8XbVTPgUwqZNxhS/

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

20.206.207.64:7000

Mutex

3fx4DGwKa2tqA8ov

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3816-13-0x0000000000720000-0x000000000072E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe

description pid process target process

PID 4424 created 3500 4424 2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe Explorer.EXE
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

description	pid	process	target process
PID 4424 created 3500	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	Explorer.EXE

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3816-13-0x0000000000720000-0x000000000072E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
14 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

UserAccountControlSettings.exe

description pid process target process

PID 2596 set thread context of 3816 2596 UserAccountControlSettings.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe

pid process

4424 2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
4424 2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe

pid process

4424 2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 3816 vbc.exe

flow	ioc
3	raw.githubusercontent.com
14	raw.githubusercontent.com

description	pid	process	target process
PID 2596 set thread context of 3816	2596	UserAccountControlSettings.exe	vbc.exe

pid	process
4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe

pid	process
4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe

description	pid	process
Token: SeDebugPrivilege	3816	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exeUserAccountControlSettings.exe

description	pid	process	target process
PID 4424 wrote to memory of 2596	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	UserAccountControlSettings.exe
PID 4424 wrote to memory of 2596	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	UserAccountControlSettings.exe
PID 4424 wrote to memory of 2596	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	UserAccountControlSettings.exe
PID 4424 wrote to memory of 2596	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	UserAccountControlSettings.exe
PID 4424 wrote to memory of 2596	4424	2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe	UserAccountControlSettings.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe
PID 2596 wrote to memory of 3816	2596	UserAccountControlSettings.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\UserAccountControlSettings.exe
C:\Windows\SysWOW64\UserAccountControlSettings.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-11-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-1-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-4-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-3-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-2-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-5-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/2596-0-0x0000000000AE0000-0x0000000000D43000-memory.dmp

Filesize
2.4MB

Download
memory/3816-12-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/3816-6-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/3816-13-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/3816-14-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/3816-15-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3816-16-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3816-17-0x0000000006080000-0x0000000006112000-memory.dmp

Filesize
584KB

Download
memory/3816-18-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/3816-19-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/3816-20-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads