Overview
overview
10Static
static
10XWorm-RAT-...er.exe
windows7-x64
3XWorm-RAT-...er.exe
windows10-1703-x64
3XWorm-RAT-...er.exe
windows10-2004-x64
3XWorm-RAT-...er.exe
windows11-21h2-x64
3XWorm-RAT-...NC.exe
windows7-x64
7XWorm-RAT-...NC.exe
windows10-1703-x64
7XWorm-RAT-...NC.exe
windows10-2004-x64
7XWorm-RAT-...NC.exe
windows11-21h2-x64
7XWorm-RAT-....1.exe
windows7-x64
7XWorm-RAT-....1.exe
windows10-1703-x64
7XWorm-RAT-....1.exe
windows10-2004-x64
10XWorm-RAT-....1.exe
windows11-21h2-x64
10Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-10-2024 10:39
Behavioral task
behavioral1
Sample
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
XWorm-RAT-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
XWorm-RAT-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
XWorm-RAT-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
XWorm-RAT-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
Resource
win11-20240802-en
General
-
Target
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
-
Size
6.5MB
-
MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a
-
SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64
-
SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
-
SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
SSDEEP
98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Command Reciever.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Command Reciever.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Command Reciever.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe 4936 Command Reciever.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4936 Command Reciever.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4936 Command Reciever.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3352