xworm

Sharing

Copy URL

Twitter E-mail

General

Target

CatrinePerm.rar
Size

35.3MB
Sample

240729-nn71cs1bmh
MD5

93f852fd8dd762369828309c5514693a
SHA1

3771382cf84495e1aaffa6350d958320492695f3
SHA256

8e5387b8e5b1d7437979f00b42b6b481281f9ced1c3a7101f6a5832402563e5b
SHA512

45d8330041d3a03d26ed224aaa70663b1c91955159f9dfb23ed1d757c8018ea4279d7aca2f25b1c89f60f85e48f71242d326cdede6e9e1314b0bee3dc56a6eae
SSDEEP

786432:kuH8IqFfBevGJk7CZzIDe3AWTdzmpgwfXhf232fSiiAMkA4:jHQBeGDx3AcFMgwPhfJf/if4

Score

10^/10

Malware Config

Extracted

Family

xworm

78.69.106.17:8000

Attributes

Install_directory
%AppData%
install_file
Update.exe

Targets

- Target
  
  CatrinePerm/CatrinePerm.dll
- Size
  
  811KB
- MD5
  
  5aabc1aaec4fe6297da47c8d327ddd29
- SHA1
  
  ddfb19d827747f4ed4e59d4f2975f7017568e974
- SHA256
  
  45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8
- SHA512
  
  290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6
- SSDEEP
  
  12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T
Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan credential_access defense_evasion spyware stealer
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  CatrinePerm/CatrinePerm.exe
- Size
  
  11.2MB
- MD5
  
  edd32d80dd14f84c7924e4af2953ba9e
- SHA1
  
  0caf3a1acc853056616d9348aa93e8c0e11e3e99
- SHA256
  
  95144e30ef6994482dd42a0ca261014bb9e2d3a3ca3520057918f6c1d4011a84
- SHA512
  
  69e2eb5b81f2b4060eca0b66c88eb30c7f8936adce48bb4fe38bfeefd34d7ed0d152463d26c21dd159888f263d23a4206f0c332e24bce8f6e8a1d00ae221f063
- SSDEEP
  
  196608:84ukkzY1CYQC8H6PWla1FsJ2kdEimSkXrXhUCrcfUUYuH+wDaLs5:84uBY1CY58H6f1FnkdRQbXhUCQcQm2
Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan credential_access defense_evasion spyware stealer
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  f_000004
- Size
  
  2.4MB
- MD5
  
  46a47acda7fdd80dd473759e32ce4cdd
- SHA1
  
  07228c70d179792e0fa8706bc80c8d93c24048ee
- SHA256
  
  2901a0f7ee3a0f9d1beb6ace1e96a14f53562ced4c8e2db18a9ed8219716b99a
- SHA512
  
  2baabf0de9b0339c625fcb7de455e068ecc471164be170eb41906ae7c6552e19482034270d616a2518fa281088fc18cc01dc8699e8b09e031d30b43f5ffd12a8
- SSDEEP
  
  24576:TT5OK3WfXiExqyHTzmG5o40P2CIQ5kNZFx/IbM22TKFNENt8hvC+G:v5Oq8BqP21Q52ZFVIJ2TKFN4uvCF
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  f_00001c
- Size
  
  2.4MB
- MD5
  
  4ee2fb755967abaa5dfa3077533ea641
- SHA1
  
  28cb2ab2c5bd0f504d57ef111dcc7ecbb4564cf3
- SHA256
  
  b06870081ed26e46b05c8909ac0e9d928249e0547a3ef0985434c54bb47a1ee8
- SHA512
  
  e022241069c7e3b9eee8d5047cea51360caf46e7b4647aba44e1167146f0fe8098ada0158087ca51eb484fb7845fbed0b5f113ebf916f96b724932329b6b3c46
- SSDEEP
  
  24576:kMoPLfNOhG6ZnykiUYfhsLPyQ/iZSOXAB6JVlDfF7pJYW3+vav1vV:JoPLlrmPyQ6ZHXAoVNF7pJPuiv1d
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0
- Size
  
  52KB
- MD5
  
  907a4d3235fc0d5697c35d487c85d26b
- SHA1
  
  f36c4d32175f51fc382ddce94652f1b7b4e94f7d
- SHA256
  
  5359c3853e7ecbbcda58b3ce89ad48630958041656ecf5d541b9509c60611cd0
- SHA512
  
  b15604fcaac678280f8dec044388b666ffc4cb0dba3b7f468c57fcc580bd0bf3782330f21b244ab6a947a3ef7064a2e168b5e355e927598e382a9a6f011b000c
- SSDEEP
  
  768:3SyJmvdqGyhyNt5IXRt3s/BjLmnktzu2xYWbWYtiu2/lfJVpYDGFo6zY3nFZZEPY:iyJmvdO4/K2ynHqjH2hJHWd681ZK4P+
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0
- Size
  
  52KB
- MD5
  
  eee55503dcb1500eb69b3a3d3a67a936
- SHA1
  
  b53c45a32cf4b2ea7b2dbeac3410185744823da0
- SHA256
  
  2d3e221b28a0d99397cafd80b84a8e5f660013a5015da37e26ac679d9298d7a6
- SHA512
  
  5a3c4f899730ab2fac9543c670f99c8735dab87af3f3f6969e6977bb1f466bb1836d1d8ccaaca6fa920a2e3067a08797ce95f39c6f1ab098cf7f5eb9147a42cf
- SSDEEP
  
  1536:YF6J1Jq7DUmEzme6/TJs/9yBpSl0XVBQvf4+CFJf:1J1UEyJ/TJNB3QvAnf
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  CatrinePerm/ControlzEx.dll
- Size
  
  245KB
- MD5
  
  6def9baa2552c072cea16b155fed0668
- SHA1
  
  93c9c9a7bf892d102f75b7fbadcc997488b4ed34
- SHA256
  
  3eceee9042e90da4a433007729778f72516f762599f7920839c751e180a47cb0
- SHA512
  
  62ef6519d0aa5979acd11067ff129ebb85bf62df8e66e395423b0cf33e5aa1541f2a028d38f2f6647cc129f6cc8be381b9c4762928fd4d163a1614652f5984ac
- SSDEEP
  
  6144:kv/YsKAsoWDJH5u6YAZBEmR8OpY82gb7gP2rxp+7vVNviPF1vdy0+mE:kyVoOJBRTdl2
Score

1^/10
behavioral13 behavioral14
- Target
  
  CatrinePerm/DiscordRPC.dll
- Size
  
  82KB
- MD5
  
  c6115a08c8e50dac0194fb98d3edc9d2
- SHA1
  
  903da7fb7ad47b7ad8eb5984ed54a865f6148744
- SHA256
  
  4dd4d48e0681604e3a7a72b6eae42173421d0b806b1af8fa03b45d9999978499
- SHA512
  
  3e43f721cf7b1ab28a4ff771b4186c70523eb2bd236063111593453c08dc8a7cf3fffd6a15af72502e8b800a35fbc7a7bd4ebb5b8f5f41796ee62a7a4a96c324
- SSDEEP
  
  768:eZGfuhWbsoZkmJPTsERSrxWjOFB8ZZnwUMOpSJAT9wQtc3nIYH+nijpJRMnk56Ha:TWIbP3QxWjOQ5pYlPMkh+mTxtSNy
Score

1^/10
behavioral15 behavioral16
- Target
  
  CatrinePerm/MahApps.Metro.dll
- Size
  
  3.4MB
- MD5
  
  fe25094bf44c6e3c8d6145bfec1ef2d2
- SHA1
  
  50696530bd5f24f30ae90742da6bf7bccbafaac0
- SHA256
  
  68768ebd9b04ebe7d9f093414c94a4f550741b7f3cf6ec3089b62c0fa76ee308
- SHA512
  
  9632dceb87befcb04af648c1fd70ffb6f2e497de1026cf9422d3ba4a07f03387e75d5bb85dfdb1e1137d1bf5ac2b66ac984e5417e43e1c47d25df992a25b9f21
- SSDEEP
  
  24576:xkcYr/qDOGL4/7qDL2P/1Y5e1bq7mTv+iruHt+Q:fUlPM2bq7mTv+iru5
Score

1^/10
behavioral17 behavioral18
- Target
  
  CatrinePerm/Microsoft.Web.WebView2.Core.dll
- Size
  
  523KB
- MD5
  
  9f9feedb05b87e1be1c7ab710655d0e8
- SHA1
  
  2886a398d065e13f667b974180589baff890d2b3
- SHA256
  
  5e172b4f558723b7dbb7f568f301077c84d6571436fbe5a5f45bfa621c020403
- SHA512
  
  397be2264710120f1f6c419fc7e6a95915eabd0b0586461fadf7335d3b3e0bc35ebca96acf5cb4002a46f6aef90c0238564519c47c7c62c995b1d7469158b287
- SSDEEP
  
  12288:qDrB322zh+iKsRFN/eA+imQ269pRFZNIEJdIEY0lxPrEIgcvLcglxMwCepM1SwU1:Zj
Score

1^/10
behavioral19 behavioral20
- Target
  
  CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
- Size
  
  39KB
- MD5
  
  4caae0e27f1c493ad732e3a49b38b097
- SHA1
  
  4319402a47be6c022552612303b6dca6eed4bade
- SHA256
  
  32a1e3f4184ce03122c4503b53a7983204fa38e030dcdbbfe64f1b471fd12c42
- SHA512
  
  0ff25e58b8e761e0c5b1a419b35547b4de8f02f2fe07e5ac8bc992bde46ac9fcae261bfd31ab90d9a669fa58cc87b798ec0a9de144245f6e39318e6b4c2eb83e
- SSDEEP
  
  768:L41nHCqoU2GmbUt5740eObba2yfhZDgcEST3p4Jjrjh2jJTSG2au8vxJKia5/ZiE:L+bxyfhZDgcEST3p4JjrjaJTSG2au4xc
Score

1^/10
behavioral21 behavioral22
- Target
  
  CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
- Size
  
  47KB
- MD5
  
  60aac68fd5215f9f2f703bf3d61f7100
- SHA1
  
  fafde9b5785400a013e84b6bccaa5c352589b16b
- SHA256
  
  1eaff15b01117b888678bf552a04b2097f64b11adf01f566e4a8c4eb0f2eeb4d
- SHA512
  
  8d86fe304eda0d66b9e7a7257f7f4254a5f8ac72cc5d6760497ce8284650734f224b8097d9b4f6c9b5a7941c278f5e2e9af5a51f6fe48d185376e32a826351d7
- SSDEEP
  
  768:0rYDVkqAbSEJL637/mkqlw8fDP/ryEH0tBy4JjrD1h2jBhlUaGzkD7hKKa5/Bi/w:DJAbZk7/qw8fDP/ryEH0tBy4JjrD1aBy
Score

1^/10
behavioral23 behavioral24
- Target
  
  CatrinePerm/Microsoft.Xaml.Behaviors.dll
- Size
  
  141KB
- MD5
  
  3add5efdb77ac86592db53b1a22d41c4
- SHA1
  
  05cce0b4888b8a4a9d0035a00da792ae2f2f52da
- SHA256
  
  71e00e2b9ca3088132fc4d54a2076cb07127fe02a5fbc10df8d61cde55dfdbef
- SHA512
  
  f766aab25e307c5dcca8ae09925e11fb2183e19b5936984c082eb794bd99256bfb0ae2441cc615cac5b358ba259033e397cd718aa63912ef2c9de2cd558d99aa
- SSDEEP
  
  3072:vq1jbJHF+e2mLqVQhe1d9PrZqYTXx5r1j2u:i1nJwxasnTp
Score

1^/10
behavioral25 behavioral26
- Target
  
  CatrinePerm/Newtonsoft.Json.dll
- Size
  
  679KB
- MD5
  
  916d32b899f1bc23b209648d007b99fd
- SHA1
  
  e3673d05d46f29e68241d4536bddf18cdd0a913d
- SHA256
  
  72cf291d4bab0edd08a9b07c6173e1e7ad1abb7ab727fd7044bf6305d7515661
- SHA512
  
  60bd2693daa42637f8ae6d6460c3013c87f46f28e9b0dbf9d7f6764703b904a7c8c22e30b4ba13f1f23f6cbee7d9640ee3821c48110e67440f237c2bb2ee5eb6
- SSDEEP
  
  12288:1eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQk:10/POdGV5jfW5VnhFyvOB7jW5JMty
Score

1^/10
behavioral27 behavioral28
- Target
  
  Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
- Size
  
  16.8MB
- MD5
  
  ab0d159cbe7e1f7f9adea455506f73b1
- SHA1
  
  a780054d4721e433387091233fd16c67ecbf3bec
- SHA256
  
  21a5b0e1ab9d88eec56dcd1c2ff050742d73e87325922e0840502d211b77b22a
- SHA512
  
  a28fb07060a33405a3d26d92c6479f77e4c403092b71471d0516cb4a431d2af55e48740c14622c6353066f53945ae8185aafb15f15b643ac4254dd26dd157ddc
- SSDEEP
  
  393216:LwA1pdJwTb+1yXa+v5wfFUSwwV6YWlw9Muo4O9W3XfCX5wRIa4o:MADdJYVNCtUS1VWlwa4O2Xfs5O4o
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral29 behavioral30
- Target
  
  CatrinePerm/SevenZipSharp.dll
- Size
  
  147KB
- MD5
  
  05c9849856abc683bcbc5c8d7921c146
- SHA1
  
  ad8ec49116b026eee2dd04d6434ede7ddce9734d
- SHA256
  
  49284b31f28d0a62d797cfcf17f464c8c2b22b29d0e8ab7c15c94724d83e595c
- SHA512
  
  c0bfb5d987fe06eba3a7b0f0c73e24cc74935a8d1efd8a79d64b36c56d498532e453049715fb8c1509eda50a0a2f1213ce67d1edaf6bfcb200e0be58af67ea5e
- SSDEEP
  
  3072:auMYWaB5+DBS4+aYX/PzJiXyjdZXUtd6uEhd/yZcvdUCG:auMYD7gJY1iXyjb
Score

1^/10
behavioral31 behavioral32