xworm

Sharing

Copy URL

Twitter E-mail

General

Target

SolaraBETA3.rar
Size

52.8MB
Sample

240522-t7ytpahe2w
MD5

89db6d8f13e3132810d1ed02735aaa8a
SHA1

e469f02df6a07510f53064c0a6cb6e0a1c417eb0
SHA256

953a78c09d4aa7bec811695ab607ae82f3f304273fc53202192a97083cb606b5
SHA512

0803659473a9fc3dd2ff02aee29320dc8836ee62c35eba153073466c2b6788c59772b333a603e5cc258cc32c8b03a9c6ff226d50c44833c3ad0ad6c2912b9e06
SSDEEP

786432:F7ktIBgNiBMhrko1t8LNWTeMRDbSkxnweIVa8SpV3rNV+PnpYBh8Ab8E9bmVvP6/:J2hHwWTeeSkxnwzg8cNqngV5qX6/3J1b

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/cXrVe9uw
telegram
https://api.telegram.org/bot6979293307:AAEOPp5yyNk59nmm3T6LeHhjYWWOLjWSYdU/sendMessage?chat_id=1370207735

Targets

- Target
  
  SolaraBETA3/Monaco/vs/language/css/cssworker.js
- Size
  
  489KB
- MD5
  
  152244e2ab4f663141e9466a8282ebe8
- SHA1
  
  e9c0e86fbc108600d3e42a6654c5de073607ddce
- SHA256
  
  288bb68a2c685957b5dc3e5353b1a03dc482b10858059063b99c1549d5fef01c
- SHA512
  
  112039647883a1cdb6a860ce1d2980562222b593508da1ea8c9838b7184e76f72de9eb68d2727ce12c78e3c0be7e85101591df6ebde1e73dcf8c2495c8454855
- SSDEEP
  
  6144:PhKjqIze+tAxt+A7zOM1L0G52ppgGDcoFGPL2gXwiOcFt+oiEipHxJKnVZPUsf:IqkA7zO/pUIPsf
Score

3^/10

execution
behavioral1 behavioral2
- Target
  
  SolaraBETA3/Monaco/vs/language/html/htmlmode.js
- Size
  
  18KB
- MD5
  
  c944ad9527d22b6ca6c0d54fd0723296
- SHA1
  
  ddfb323ded66de709fa8b05abe0ada931ac9dd43
- SHA256
  
  80d6f099563af129b4deff66f7b9d4dfb27ad0058dcb5b77d927e460022dafee
- SHA512
  
  3a6abb3a15401d28e4926ac008f991b7a19b359c8420d7e5bb6804061b6f82a2bedfb86823862e1ccfbc046e896cb1a5759199f7e723fd7b1b5e6aeb19f92f58
- SSDEEP
  
  192:hA6ZF2Cw7DrFcelxzEKfxmflhyLpYvws8edvt9vKVwZVtDFzp6RMSyotuK1sD5Sv:hJw7DTfAlhCpvedmw+MS+KOD5Sc7Pzo
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  SolaraBETA3/Monaco/vs/language/html/htmlworker.js
- Size
  
  154KB
- MD5
  
  3f5802a91a29e4504d5cd2f10ac280b8
- SHA1
  
  368d01e59eaf25f164ab1d80b7f5d74b625b242d
- SHA256
  
  e80444d8fa519ff86e5c696a40843bc8392b2d3afb83118a2dd92da5497c9212
- SHA512
  
  2f3670227710c291e5e9136b2cac5c70421c2537b86219fe17ed33161136a08f5cb2069822b16a58ce377b6d1a265cf33215a1695bda5a701bae566410ce33e7
- SSDEEP
  
  3072:wNxSv2ym9FNq9m8iktJFu/TgHdcyDnLEOhUm3xSvp:wNxSv2ym9FNimBmFu/TgHdcgnLEOhUmE
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  SolaraBETA3/Monaco/vs/language/json/jsonmode.js
- Size
  
  38KB
- MD5
  
  44955b6c43b7aac58492233efeeb70ad
- SHA1
  
  528b1f0d8ebce7a607c008aa66a1d0ecd903d3d3
- SHA256
  
  08af59e449f6c058514bf05c54511ee6ec83934ab9dc3e803257196b2812e8ae
- SHA512
  
  5a86921260ae9f87eb134513809231c9b512200cd2f330df37a098124db0da8c8bcef5dc668875e21328ce9a6c79440811dbbc3371147690c71d31b97745666e
- SSDEEP
  
  768:ghT0rpM0GwBsUWdD5Sw7NibC2FyGf5Zot3OYoHAymtVoQvafg+HfNc75eEWAdy0h:gyM0GwBeD5jhiA3B7VjIQfdy0h
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  SolaraBETA3/Monaco/vs/language/json/jsonworker.js
- Size
  
  99KB
- MD5
  
  61e9b732bedc39b547804ac7e8897aab
- SHA1
  
  187cba5fbd9c31257119dde24a28573b4973ef5c
- SHA256
  
  7c6d37bb341cf59335f6a3e5e336d0de863124fa40a8f9b5f29d8da07891b649
- SHA512
  
  200e32143bbcda809b0003298aa561ebb27509d309168de81ad8529476ab64caee0502b9fe0b513469c21b82edb421b642183a250d2ba4d65c74ba4c1cbe39dc
- SSDEEP
  
  1536:rIAGGhzNFVAg0Edqq6L05i4Xw9dA+IKFt:cRyzNFV5jXOA+IKT
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  SolaraBETA3/Monaco/vs/language/typescript/lib/typescriptservices.js
- Size
  
  1.6MB
- MD5
  
  0a1a293455f5451ba11e07386ea62d4f
- SHA1
  
  d6a43c68812a3dcddc2973db3f2dd8a6b0e45f1e
- SHA256
  
  90e98063c644749a948edd5a7801f7b00c554e3189fe7c2811926b01eaf1b41f
- SHA512
  
  1674e2ad75c53f99475743618ec59d90ce8eb262131c15daead963ecb847cb70278a6d4608c66710c3cd5e92e03b5552a05401b6b008184dbf892683b27ca34a
- SSDEEP
  
  49152:G6qR6wZ7g2oZNDR3Oy4mtYsT2ACKRRrcLHd5:W61/4mTy
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  SolaraBETA3/Monaco/vs/language/typescript/tsmode.js
- Size
  
  19KB
- MD5
  
  8c1a82479c380d2b2c6b096e12ee9632
- SHA1
  
  78e429dd4a9279267679423ddb0b6d06c11172ac
- SHA256
  
  70957c5ede2834adf1b5bc264e119f82b4e8e6c169fc8ff140d637d1c5287bd9
- SHA512
  
  409c8724ecfa045a7563b5c142ef0a107bffe126140bcbe5202dad59b9ba5ec0db91c74c77d5a60be92110b9d0c942fac61a782ee30a4288774f547f303e1c4a
- SSDEEP
  
  384:hgFzm27hrrEZAmdHpjHenNvaOm/6xS1oTEXx3KjFRMqxRh2l3eBVq1A8WKm3d5vp:2FyHhzHenNvaF6xCoSx3KjFqqxL21eBp
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  SolaraBETA3/Monaco/vs/language/typescript/tsworker.js
- Size
  
  1.7MB
- MD5
  
  1e0047691c3637ad1e0da62023ba0e0d
- SHA1
  
  64902c923c2194e007bc727f7ea4f30b3a796dab
- SHA256
  
  2ccc6b6b1b5d884fe8df3e7b2f2bacca0c4529b68bbfe3c547fcc74f204cc5d1
- SHA512
  
  c1bef7bfd60acfcfb206b9631f8a730b787e94101d519d157d346d8377104d1302c0e9853ba2db944d63f03b181511950b9ea25dd21e41f40b4aeba4bc44c0c8
- SSDEEP
  
  24576:pQIJc020hIvUjQQ0s2oI4Q0s2oI4QIJc020hIvUjQQ0s2oI4Q0s2oIq:Qo3MfgfHo3Mfgfq
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  SolaraBETA3/Monaco/vs/loader.js
- Size
  
  27KB
- MD5
  
  8a3086f6c6298f986bda09080dd003b1
- SHA1
  
  8c7d41c586bfa015fb5cc50a2fdc547711b57c3c
- SHA256
  
  0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9
- SHA512
  
  9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017
- SSDEEP
  
  768:3J6C/c2x0cAu57XQxJRDRi+R/TvrCv3zM2GRl0VEj:Z6grH7qTXRvmDI
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  SolaraBETA3/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral19 behavioral20
- Target
  
  SolaraBETA3/WebView2Loader.dll
- Size
  
  133KB
- MD5
  
  a0bd0d1a66e7c7f1d97aedecdafb933f
- SHA1
  
  dd109ac34beb8289030e4ec0a026297b793f64a3
- SHA256
  
  79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
- SHA512
  
  2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
- SSDEEP
  
  3072:e5i6Uab3sFhPk6vEmG1PU6dLXm2ng3esQDqEt2JljdTu:e5P2e6vERtUyTmHEtmI
Score

1^/10
behavioral21 behavioral22
- Target
  
  SolaraBETA3/Wpf.Ui.dll
- Size
  
  5.2MB
- MD5
  
  aead90ab96e2853f59be27c4ec1e4853
- SHA1
  
  43cdedde26488d3209e17efff9a51e1f944eb35f
- SHA256
  
  46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
- SHA512
  
  f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
- SSDEEP
  
  98304:Com1p/B6MvSmaRI+VcDNkq4pmvhAHDfyyrhl:W1HZNkq4p
Score

1^/10
behavioral23 behavioral24
- Target
  
  SolaraBETA3/XcHvYYrNa.dll
- Size
  
  5.2MB
- MD5
  
  85b0dcb64053e35280477d88e1e05505
- SHA1
  
  70ebc4da4ac422bb47c1c49114d935d01848436b
- SHA256
  
  0c11716983653fef7d0f403c31429d9730c3c182eecc2e518ab98b4de6dd6730
- SHA512
  
  2f79e49f093fd0aaef79cbda75924ddec34a8172182a5cb7ddcde5227897f46e9e55dccf310779918afd1144f2af9a003d58939b5e631ecda147c81b95ad4d64
- SSDEEP
  
  98304:Hjq4IKpMF9j28xRr3gylwOjA3iquS4+RUk2o9/C/omTI:Dq7sMTj2w0yGyGKzmC/om
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  SolaraBETA3/XcHvYYrNa.exe
- Size
  
  35.7MB
- MD5
  
  17a5b2e38e52ba783232e01686477307
- SHA1
  
  19905670b94997dfbcbccdd3437e3595119d9538
- SHA256
  
  f58b4cb63d8d082dd1c6061c4f87f292d194fb7a19c55f6df5ee781431dce31a
- SHA512
  
  e7417c40188807f7b5a2facb6bf10813ec7450a82be9b0d47795e519083e484eb5cf045fa1e7b169695b1f56aefd078294969351d83a38e70a099395e93a6951
- SSDEEP
  
  786432:/QUiPmbQYUS3jKoNpSaDlLlrfrvacgl8x8MQkEweK:/vs1UuDapLlrmcgCxzP
Score

10^/10

xworm evasion execution persistence rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  SolaraBETA3/XcHvYYrNa.exe.WebView2/EBWebView/Subresource Filter/Unindexed Rules/10.34.0.52/adblock_snippet.js
- Size
  
  2KB
- MD5
  
  4dfa3a341bfcdadb42f25a9a4bfdf152
- SHA1
  
  94cf328db1e1c355f2e008ac5408d1d929582863
- SHA256
  
  a12f977a31624efa0d30eaf0a4e613fc1924e7494411fb8584530016b6cae1c0
- SHA512
  
  5273b146edba6a1465f2360b9be46771f575c43c6240c822cab0ddb475e980d048a8f5f9c87312ce425122d70f7c8f6d6c7b700774746fe9c155c344547c9d67
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  SolaraBETA3/api-ms-win-crt-convert-l1-1-0.dll
- Size
  
  24KB
- MD5
  
  0485c463cd8d2ae1cbd42df6f0591246
- SHA1
  
  ea634140905078e8f687a031ae919cff23c27e6f
- SHA256
  
  983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
- SHA512
  
  ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a
- SSDEEP
  
  384:WruyxWfhWMLm0GfeQ1MgKlx+YY30Jl0huSwp+M:PlRhg8Ihep+M
Score

1^/10
behavioral31
- Target
  
  SolaraBETA3/api-ms-win-crt-filesystem-l1-1-0.dll
- Size
  
  22KB
- MD5
  
  1193f810519fbc07beb3ffbad3247fc4
- SHA1
  
  db099628a19b2d34e89028c2e16bc89df28ed78f
- SHA256
  
  ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
- SHA512
  
  3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353
- SSDEEP
  
  384:W3q6nWm5CpWfhWNLm0Gf3Jl0huSwJ+Ruh91MgKlx+YV:l6nWm5Ce4RVheJUUwg8V
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect Xworm Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32