Overview

overview

10

Static

static

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-07-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    34KB

  • MD5

    8bb9d79ea292fc23e600ebd7957e9333

  • SHA1

    4e78c73a5383f14edc669260524da4bdd5130c36

  • SHA256

    12631c9b83e06b20eb1727eff06e2d6e264e8c58d62ea6ee5d351d195af3502a

  • SHA512

    35101121210917d2dfd34e48f1b29e8806637b58cd18a0bbf93da1ee6decfac12ce55c0820e22c691287c7572bcdba69fc5d134ba4834c015aa553250d6383d8

  • SSDEEP

    384:+xYQVyqLSxEe4fIETsI5feQjFptmByujICLYFiiXmv50QAXnxF8QFhk58pkFyHBp:yrvaUuYsIQehkVFyr9eWTOjhmSDc

Score
10/10
asyncratstormkittyxwormdefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

insurance-helmet.gl.at.ply.gg:31388

Mutex

wbZwsAW8h4Ee9jvd

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6758433214:AAHsOKdFy4qDz6vRHO6UQUpRG85G-wZvC1Y/sendMessage?chat_id=6234857847
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Local\Temp\odgstd.exe
      "C:\Users\Admin\AppData\Local\Temp\odgstd.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2324
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2292
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4064
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4516
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1844
    • C:\Users\Admin\AppData\Local\Temp\fdtbjs.exe
      "C:\Users\Admin\AppData\Local\Temp\fdtbjs.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4172
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1876

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Wi-Fi Discovery

    1
    T1016.002

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\3f962c9ad51052f393efea7eadf6c665\Admin@KZOWYSNI_en-US\System\Process.txt
      Filesize

      4KB

      MD5

      1ff47f6283745073148c4f78b2e6dd78

      SHA1

      d8755c84a0b2321fc52caf1f39ba8950cb4f7047

      SHA256

      996829ec0b76739f289b63f1cb4dc1bf2aadb684565aaa6faf53409c2c6632e5

      SHA512

      95902cc90240b5e6d7d9dde969ca21f14a6c5ca055f270e75b70074e3b233993b3c199f88546f6fb140a7541bb5ff9f566444a9bd4ded1a1ecd23fb53a8214b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fdtbjs.exe
      Filesize

      436KB

      MD5

      173a4279e79645180febd00f8a66fefe

      SHA1

      92ed3111f7bf0f63e5089463b04c9dec0d2cd7e8

      SHA256

      5b1267781df5fa980e338f4dacd44984955d92c438209e55088efd1b1820e9ac

      SHA512

      f572abb593a1ffb10f8b106ed9e17d47b2cce4955da965d6915069c3bc310b7365414d6fe49cc63aad3ab0375125afd04949b1cfb9299b27bf34d004c1c2da5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\odgstd.exe
      Filesize

      175KB

      MD5

      9f2d773fd80c4da7ae3ce95da359f9dc

      SHA1

      6cb470ad352e52ea0ec5f863ea4ee083e983caed

      SHA256

      eb40ef4c4b8ba46300b9f95edc2f7f5ad4c7ea1e812580e3cda28b48f9ef0406

      SHA512

      83a6af54e2d550e1b8f20b6709e7f06515e4c491cbc25ebf1f1e62533cb3f71ef9b58a453f64e04eace1b7cb06f55771907047eba4afa993d88453a74825850f

      Download Submit

    • C:\Users\Admin\AppData\Local\c1ac1dce9794b2828be22d26e4549175\msgid.dat
      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

      Download Submit

    • memory/2316-11-0x00000000002B0000-0x00000000002E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2316-10-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2316-12-0x0000000004AF0000-0x0000000004B56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2316-130-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2316-131-0x0000000005BB0000-0x00000000060AE000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2316-135-0x0000000005720000-0x000000000572A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2316-141-0x0000000005B90000-0x0000000005BA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4172-170-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4920-4-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4920-3-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4920-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4920-1-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

      Filesize

      1.9MB

      Download