xworm | b04805a93e29a1417cb67150005ef27cc743f2ecbe0ef221257a16c3f0521977

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GalaxySwapper.exe
Size

169KB
MD5

465e6a6662415e49b65f59cb8ded03f1
SHA1

082cb2d0e56c39c5c63e288865d44636dca3ad31
SHA256

b04805a93e29a1417cb67150005ef27cc743f2ecbe0ef221257a16c3f0521977
SHA512

46d966abf3ee8d219b80975c0cb328329edda73139a4a1463bac68b2d0f42a499cea45ec73fc085026ffc2a3c864becc34ade7be48549222541fe51aa6735b4c
SSDEEP

3072:WzMVVI0kbXX6ElevOO37vBz65/M6If+3Js+3JFkKeTnL:WztnbnwxBt25

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

agency-lottery.gl.at.ply.gg:21526

Attributes

Install_directory
%AppData%
install_file
startup.exe
telegram
https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000AD0000-0x0000000000B00000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\startup = "C:\\Users\\Admin\\AppData\\Roaming\\startup.exe"	GalaxySwapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	GalaxySwapper.exe

C:\Users\Admin\AppData\Local\Temp\GalaxySwapper.exe
"C:\Users\Admin\AppData\Local\Temp\GalaxySwapper.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/2748-3-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-4-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2748-5-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads