xworm | 1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13

Resubmissions

21-05-2024 16:26

240521-txyqyabf56 10

21-05-2024 16:11

21-05-2024 16:06

21-05-2024 16:02

21-05-2024 15:59

Analysis

max time kernel
135s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

32KB
MD5

796d46d24a498cbd5c0161979b6b97ae
SHA1

0bad45e27d99ab1900cbb99bd97895c2286f7c53
SHA256

1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13
SHA512

0046a95e056a3e7385d46fd383e3bc48b0b6891726d2dbcb2901139af5c9d1a3bb415446fc236b68cbf0a87cc13185f6fb2604447f02228c9c1f92f67a0593d4
SSDEEP

384:5YxRXcrP31VZBELRUnvJff3cdiwOURJpkFTBLToOZwxJd2v99IkuisuVFxOjhlbD:lPjgRevJ3cdIUGF/9jTOjhlbD

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ee7Mn1pG1AADdFhL

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/LY8grq3Z

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4144-1-0x0000000000CF0000-0x0000000000CFE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
4 0.tcp.eu.ngrok.io
1 pastebin.com
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4580 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClient.exe

description pid process

Token: SeDebugPrivilege 4144 XClient.exe

flow	ioc
2	pastebin.com
4	0.tcp.eu.ngrok.io
1	pastebin.com

pid	process
4580	timeout.exe

description	pid	process
Token: SeDebugPrivilege	4144	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

XClient.execmd.exe

description	pid	process	target process
PID 4144 wrote to memory of 4936	4144	XClient.exe	cmd.exe
PID 4144 wrote to memory of 4936	4144	XClient.exe	cmd.exe
PID 4936 wrote to memory of 4580	4936	cmd.exe	timeout.exe
PID 4936 wrote to memory of 4580	4936	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.bat

Filesize
159B

MD5
7b0fb7478a5923d604fd5bea49adbb2f

SHA1
cfcb2ab68b7ed1570ae37e5cd2525c37deddcb8c

SHA256
a9933d827409be2d21e79a53fd0e7a68a5074e8bfc3edb70b41ddb8038394b2a

SHA512
1beb11456f879cc34b4552c35d0a96785290fca09ad5ec86843935c61b81d374c4e96f9313f64112c1d917a01a3f262fdab80a877d5efe393083eb64881a1aa8

Download Submit
memory/4144-0-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

Filesize
4KB

Download
memory/4144-1-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/4144-2-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

Filesize
9.9MB

Download
memory/4144-3-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

Filesize
4KB

Download
memory/4144-8-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

Filesize
9.9MB

Download