Overview
overview
10Static
static
10XWorm-Rat-...TP.dll
windows7-x64
XWorm-Rat-...TP.dll
windows10-2004-x64
1XWorm-Rat-...er.exe
windows7-x64
1XWorm-Rat-...er.exe
windows10-2004-x64
1XWorm-Rat-...ox.dll
windows7-x64
1XWorm-Rat-...ox.dll
windows10-2004-x64
1XWorm-Rat-...er.bat
windows7-x64
5XWorm-Rat-...er.bat
windows10-2004-x64
1XWorm-Rat-...I2.dll
windows7-x64
1XWorm-Rat-...I2.dll
windows10-2004-x64
1XWorm-Rat-...io.dll
windows7-x64
1XWorm-Rat-...io.dll
windows10-2004-x64
1XWorm-Rat-...NC.exe
windows7-x64
7XWorm-Rat-...NC.exe
windows10-2004-x64
7XWorm-Rat-...er.exe
windows7-x64
1XWorm-Rat-...er.exe
windows10-2004-x64
1XWorm-Rat-...UI.exe
windows7-x64
10XWorm-Rat-...UI.exe
windows10-2004-x64
10XWorm-Rat-...ib.dll
windows7-x64
1XWorm-Rat-...ib.dll
windows10-2004-x64
1XWorm-Rat-...ib.exe
windows7-x64
1XWorm-Rat-...ib.exe
windows10-2004-x64
10Resubmissions
08-06-2024 18:20
240608-wyz2hafb42 1008-06-2024 18:17
240608-ww7cssec5w 1008-06-2024 18:11
240608-ws439seb9v 1019-05-2024 22:48
240519-2rh3asfb62 10Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 18:11
Behavioral task
behavioral1
Sample
XWorm-Rat-Remote-Administration-Tool--main/CMSTP.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XWorm-Rat-Remote-Administration-Tool--main/CMSTP.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
Resource
win7-20240508-en
General
-
Target
XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
-
Size
122B
-
MD5
2dabc46ce85aaff29f22cd74ec074f86
-
SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730
-
SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
-
SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
Processes:
lodctr.exedescription ioc process File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2820 wrote to memory of 2524 2820 cmd.exe lodctr.exe PID 2820 wrote to memory of 2524 2820 cmd.exe lodctr.exe PID 2820 wrote to memory of 2524 2820 cmd.exe lodctr.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\perfc007.datFilesize
37KB
MD5123ae03ae3801d7cf2e7c25a4f36e20f
SHA14cfb548aab839cbf904d815f3a93c1d781bd45c3
SHA256966e5204cf91ca573243213c1c8424616d71ce18b77247739b88380df064e82d
SHA512bbbd9659c7785898dcdaa87c68d711e45382e3984d074fb4cc6327a7cfdf4456ed2ef40e921b68faefc1580d20741197cde19c8f33a84583a5eda919964d3ce9
-
C:\Windows\System32\perfc00A.datFilesize
40KB
MD5b781dcb559f2ca18f820c6968bc6817b
SHA128e376625f8cd0d907e402bf3f0c7b178b6c2305
SHA256b1792b32e188ba4a4953d3b62679fea1c4c011843d6fc0514858fcbbf96ec8b8
SHA5122e116b0dbf67cfd8674ff47012d81b4891317368af81fe927f68c15f9275f9fa073564480e62f5ccf671084c7cefff54747e8e663713e86ff26929bc7d79ef2c
-
C:\Windows\System32\perfc00C.datFilesize
37KB
MD507ba000b2e67565bdf112c35171865a5
SHA1ff10aba2740b79655cdc06c952b19876d766ad5f
SHA2561ff4995e91b7c1a67fafe64e251aa4f81744684d10d0c35789b6a4d1b4ea56c2
SHA51272fcaafc7e3fd7e59239c74a9e890b73a2a7f1e88a63a8caeec28452c9a3cb968f542d47c3752597eca41897b316d36c59f14dbaa3a93250e8ca717ca134580b
-
C:\Windows\System32\perfc010.datFilesize
36KB
MD544869cf36f828490c320281ae16d6533
SHA16426b1a7a38353bc4241669ac0c576749254bb41
SHA256a8328447eb5b4bc9266ae43cd892ce9726138a0c56abb611f52fb01f7ee439d9
SHA512da945df94e4dd1f0095669bcd25f393babccb85ddd84035186ad09bb85e684c6173e8b668c441e51109df5a9b1047a79c18249ed169a04df234d5cbd88ca84ec
-
C:\Windows\System32\perfc011.datFilesize
30KB
MD57aaa3e23ce4c7845b112f7a79b110e60
SHA15269028c98ffa222f0cde48034d5f74c74dee4ad
SHA2568c850029e558eb1a22429b21a637516cf5d90ca08ff872b19cf7fb03b33af2f5
SHA512e8ea6087b5bf3d54469d9e09bb10d47c06ce4ab0dbda9a7fba8ed348b69c8aa717b9389f82f16768141a417a5abd78e41afd7a5c63e4ada0c458724b37a197eb
-
C:\Windows\System32\perfh007.datFilesize
288KB
MD57d57d289c5f93908319dea1080cc111d
SHA1e603992400cf24d43468030480bda4f91b296a95
SHA2561d5e48f8879225d8df14109e236c99bfdb3840e4f1a7ddce0e20038bfaf2bcf4
SHA51288879f2ad89b7ba188bb4206596e730761836d2b2e45255bc4a8a582fa5ef3a835780becac38fd9f8d4ce59c0890f70b8de3de9978028f781401d0be6d743718
-
C:\Windows\System32\perfh009.datFilesize
256KB
MD58dde32fa04e3ab7e13b88f957e24abd0
SHA1907f1209b193854df030a1e24e97a57b09ed48b5
SHA2569c46fd4a4745aaba868aa9ff5d0509fac264866a40669577d09dbce65fcecfad
SHA512f273942791c803c76e4fae7bf362b940900df930f7574e687694ccb1e1870d9031b9996ac250cef8395f580c317f4445113b86820f795ff9f97c6e3723245da5
-
C:\Windows\System32\perfh00A.datFilesize
333KB
MD52729debbdc678de0cbd778f823e3a27c
SHA176c0893232efb33cfe0e7a72961fc02b0009f524
SHA256e27925a0fd704e56877383cc68d8a2cb2d523825093c2a0742930e2456ac909a
SHA512a5b489374dc05f4ac3a5eb97ccd837d77d7cd4461f718a09c1559a963a5b7c6118bf11907b456ba137f548c8241a7aeba2510075cb67031ed57c7224845a3841
-
C:\Windows\System32\perfh00C.datFilesize
336KB
MD504f6c9757db75ff27c427e5b31ddb289
SHA16f112f48279ed1a421ca85ae649b4bed6afbae39
SHA2568bdfa408834ec3252dfb11817d2b3edef7e49e6efec57849271fc4ef09b77444
SHA51200c2627e353cff36f56098e1e0f64fe4b4219bd56b56147d2761854375fc1784e2e62f835ce30b43c554e0f792807fbdf5ac63db0ff1cd486dbce16598081122
-
C:\Windows\System32\perfh010.datFilesize
327KB
MD5bdf4f4db2aefc3ae41f481810d1f1549
SHA160ae0254bdae4064da29cf9fe9ab9501ac2e65df
SHA256aa3b8f5a7da23512d660d927284fbc6feea255fea95bf5892fe337930c2ae26a
SHA512fa4c63bbfec09d74d332aaca38217e4ebb298c52ed3e0576f8b129c1a1bae9f80acb4a8eb980a634b17c719b6577a87f53fa94335906d28f94bdbacb181c8c25
-
C:\Windows\System32\perfh011.datFilesize
138KB
MD5662686a55f1ccf3e9031cd70cdaabaa1
SHA116fc17803c14a048c4bf2a0090114a9a65b97eb1
SHA2560fbba9d79e03264221d8d6e96ce857207f66b5d43ea12b0a9f7383f6d51a6652
SHA51294673e2ae7f3137986cde24802ebe862877ca895fbb3157fa9f95cafee60f6af5cac62660b0dc4f23de3234aa50d644fc89f4e6242daaf7ddb254ff29967bebd