xworm | 7499661b53d56a269ee1ff6817a8449120735f015c16d76f1edb74114f9343a2

General

Target

nursultan crack.exe
Size

36KB
MD5

4a39cd1b911d7237d3ad198245501e5a
SHA1

b7eaab3752df42f759d198ea9de719a3c76ffc67
SHA256

7499661b53d56a269ee1ff6817a8449120735f015c16d76f1edb74114f9343a2
SHA512

1627b3e893721c0530aba12a7d93a0ad34ad94ffdc5f5e1ad93b82e245d59cfdb0881de4ae186b9a321ad391984d0ba489dca4881ed45633039c31412da8d871
SSDEEP

768:OTAJM/jPWzJzGMpFALFyn9CUIOjhaD2j:OEsjO1eFU9CHOjt

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remove-woman.gl.at.ply.gg:53860:5915

Mutex

J3OlWpD2zCDTeEld

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2428-1-0x0000000000310000-0x0000000000320000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

nursultan crack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nursultan crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nursultan crack.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2776 vlc.exe

flow	ioc
2	ip-api.com

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

taskmgr.exe

pid	process
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2776 vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

nursultan crack.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2428	nursultan crack.exe
Token: SeDebugPrivilege	2428	nursultan crack.exe
Token: SeDebugPrivilege	2060	taskmgr.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

vlc.exetaskmgr.exe

pid	process
2776	vlc.exe
2776	vlc.exe
2776	vlc.exe
2776	vlc.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

vlc.exetaskmgr.exe

pid	process
2776	vlc.exe
2776	vlc.exe
2776	vlc.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2776 vlc.exe

C:\Users\Admin\AppData\Local\Temp\nursultan crack.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan crack.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SelectClear.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2060-21-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-20-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2428-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2428-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-7-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2428-8-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-16-0x000000013F570000-0x000000013F668000-memory.dmp

Filesize
992KB

Download
memory/2776-17-0x000007FEF1E10000-0x000007FEF1E44000-memory.dmp

Filesize
208KB

Download
memory/2776-18-0x000007FEEEF10000-0x000007FEEF1C6000-memory.dmp

Filesize
2.7MB

Download
memory/2776-19-0x000007FEEDC50000-0x000007FEEED00000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads