xworm

Sharing

Copy URL

Twitter E-mail

General

Target

Rc7Rel.zip
Size

9.9MB
Sample

241005-xlzqmszanr
MD5

5a05edc4aa8452eb894e8fe8b15a05f2
SHA1

753b05b765375d5051a97e78c3290d2bb57d8436
SHA256

e2430be4254080e2ad735e09c0e5fc83ebe2fc034662edcc898f6444bb6ec0d5
SHA512

c6f651eda33cf1cc23f0667894f8ea0440cd4e9b95b8c4c0aaaee34081d2202908935fa7cb606c3a15afcb6a97bbdc590a1dac6320ef8c3a1b7752243d881813
SSDEEP

196608:ki9qWD1m7lBz6x4M2Y7Lux/jyAVW4TZJtbYNB6ha:kdWo7b84M2YM/9Trt1ha

Score

10^/10

Malware Config

Extracted

Family

xworm

127.0.0.1:22612

bay-husband.gl.at.ply.gg:22612

Attributes

Install_directory
%ProgramData%
install_file
WebRuntime.exe

Targets

- Target
  
  AlphaBlendTextBox.dll
- Size
  
  24KB
- MD5
  
  e6b8735ea19da68d9baa23f945a6fad3
- SHA1
  
  65ae6742bf4106ce56d57d3ab427bd3e379f9ca3
- SHA256
  
  48541be9ed6be56e4ee61dd48ce6b237b7a83a3be4db5a54ce350a042c77ecfe
- SHA512
  
  ca3f3945406b9dc64b67f78cb75687b487203f177f4d3a96ae070f5aafa01ef43c733dd69847c095d6484a616abfe85f37568f8b289564693b6a3947fcac4585
- SSDEEP
  
  192:iDGJzcLqS+q+obtogcv7QZYU+Am6+cfX/huI1Ps1YK2c5PkDVX:iKqHtobQZYU+Al+8XAI1q2c5PkDVX
Score

1^/10
behavioral1 behavioral2
- Target
  
  Aspose.Zip.dll
- Size
  
  3.1MB
- MD5
  
  322f5ac4c812d1c54e4b5c332777090e
- SHA1
  
  107dfdc3c1a8691a3af72083e5990b9f976bb216
- SHA256
  
  b78c5a7f048508213929a902cafa058b66cebe742240198c65403fe7f5ed0d3f
- SHA512
  
  35c51b7d6b746efe0dc0e577fd3b974edf2761e5fe94f2b7db2356338e5ce97f6785bb083751683386b5ff7b4ccc3bea1ad5832f9481f1cac607c2e5d51a8877
- SSDEEP
  
  49152:PVfklBmsMNwpJNDgS3a7fyWMQPFVxzwzE8qFzOaeu+AisC:PVi/9mz97zwzr+wwC
Score

1^/10
behavioral3 behavioral4
- Target
  
  Bunifu_UI_v1.5.3.dll
- Size
  
  236KB
- MD5
  
  2ecb51ab00c5f340380ecf849291dbcf
- SHA1
  
  1a4dffbce2a4ce65495ed79eab42a4da3b660931
- SHA256
  
  f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
- SHA512
  
  e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
- SSDEEP
  
  6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Score

1^/10
behavioral5 behavioral6
- Target
  
  RC7.exe
- Size
  
  809KB
- MD5
  
  8431fbda6408a7a2d8d954abb46d0012
- SHA1
  
  2f268b2a51379762b268f0b208ca48826e623f93
- SHA256
  
  befedb8dcf588b42acd2db96dc71d82df5da67821b0b3403098de3b77e345b33
- SHA512
  
  e25bf48f70bad66c48095514444f64717aea8c14228519e76a6d0280cef2458af513f68d26fc11bb4599e125acd9d88c8af0092cc20d11434b97b2de5e5fad64
- SSDEEP
  
  6144:gbK5rCbsIg2mvqvUOCbsIg2mvqvUzwvIJVLfsMT:DMbsIg2mCvUPbsIg2mCvUztVLfRT
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  System.Runtime.CompilerServices.Unsafe.dll
- Size
  
  21KB
- MD5
  
  82d8aea1b8101b7a70c2d47636e29340
- SHA1
  
  fd55a3bc6b0928a029b29dd0559fed4ce30b79d4
- SHA256
  
  92726189520484eb6eb2fc977c1b87e6510b565387d2d0aeaf55d42058973d36
- SHA512
  
  c45b9d897d1bc3d7ea24f1cbfb3cb9c2b79212492ad85aa9613827f9a97cf40c37ff48f929bd0e8cbaa9cc34a4656df43db3df1c36370f06b0ec1bb303ef340e
- SSDEEP
  
  192:L6MyXqODrcxdZyluZCCjdks/nGfe4pBjSLAdS4BEWAaAXcrMHnhWgN7aMW+4JqnD:L6SOadHFm0GftpBjxp4aQHRN74l3g
Score

1^/10
behavioral10 behavioral9
- Target
  
  System.Text.Encoding.CodePages.dll
- Size
  
  743KB
- MD5
  
  1d0a876eaaf4b12ee6fbe592e34920ba
- SHA1
  
  62d81e666e4024049a9edefc25f293900563bb2c
- SHA256
  
  a750dd0f58327ac94487c92475eabb99487a46407256e2fa8593852b4eebcef8
- SHA512
  
  a6a50f4bcefca1c35142d8e6bbadfbb2890396bce078a4a19d704289adca40143c18d2f2949f0cc40e2d543b33632d5134ae68dc5aa0987181ad3c8ee8860a3f
- SSDEEP
  
  12288:fWy07xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6r2B:He9km6k/IwRYbiBeKGC/B
Score

1^/10
behavioral11 behavioral12
- Target
  
  bin/Monaco.html
- Size
  
  6KB
- MD5
  
  fc63d6f8cfd66d984df8e003cd30ce4c
- SHA1
  
  767beb1b385f89ef98d6aab11abacc564fc3c2b7
- SHA256
  
  aaf84c7789f9f4a7505c408e484d0d04a5ddfe2badd3973acd41bf2e6a2bfbf5
- SHA512
  
  843bb9660de5827a28a94799c4b745bc2c1c56db72d36b989ea2b72a3868d0b68fac36b5e320293e26034e4d2b0f9b0946162ea2f4b8e919131d888a825e5101
- SSDEEP
  
  192:Q3+OKFLvkJj7gpk32eynKZyt7TJPAqkvKU3LI+QrzZws:Y+OKFK3gi32eynAhs
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  bin/MonacoEditor.html
- Size
  
  6KB
- MD5
  
  cff4feef176cef910036d01c653d9287
- SHA1
  
  2ec40c7ea8d85a126c39f294d82cd128217c0b6a
- SHA256
  
  3e06c186e632d01ebc2ef38fb0c082f26e14132697afe8750173f4a09569147a
- SHA512
  
  f1d5707a947d1172cd8b06b8dec8cffd8ae88486c4a7a685ef88b8c619fee84efcf0cf5ec193c1f5b3dfcb3bf5aa74cb5ce89003d092d7414aadf2c2a6e5587d
- SSDEEP
  
  192:Q3+OKFLvkJj7ppk32eynKZyt7TJPAqkvKU3LI+QrzZws:Y+OKFK3pi32eynAhs
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  bin/vs/base/worker/workerMain.js
- Size
  
  149KB
- MD5
  
  27ead90c7702154755785e0e53398755
- SHA1
  
  86b59485fe6f6ccb1805183fa75062a2ac1c859e
- SHA256
  
  bdf9433692a08851e13dd58504eef19f51bd2ec7241923a68edf5772e0e53af5
- SHA512
  
  6829681575179c90bb7817b17feee60e7d44d8abb15264ab39d7f0edf95dd1d030b99c12b005c753cd786c26ce6f17ff09b058c16f3363596f785e386ef78e82
- SSDEEP
  
  1536:XNSxrkwnz+dTHHfvYYdBwDZ2Ogvh52xgh2hQXIvTBaB7hU74Yc6aphU1PblosJEl:XzdTagJkb+6jFlJJEt9yjjTCD2zw
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  bin/vs/basic-languages/bat/bat.js
- Size
  
  2KB
- MD5
  
  4cb475399c4490eea41982dcd6d9653e
- SHA1
  
  fc97d57206ff7fa1c89ff0fc9f6e2f04a20ea185
- SHA256
  
  9bca42394fe8922fec24b768eeb8ce04692de6fad82f9052d5b7e70f5c6b0f40
- SHA512
  
  27eefe83cf38a7d784414d99b472f6fcd7e595691eb0f368254ba1f71aaf702840b62bf232c30c515a8fada234699fefeef496c0c24669cc158cb567227e4783
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  bin/vs/basic-languages/coffee/coffee.js
- Size
  
  3KB
- MD5
  
  9d0c4ac1691eed0a480c3e9246490d29
- SHA1
  
  38258864fd070c35cec6b68715d58771df9fe3e1
- SHA256
  
  e706c9f8e5c5a0cb01b2f4e4879ec34a050d6eb2a8840284eb7badd9d78099f9
- SHA512
  
  437a703607a9f0cb96ffb56312d149b95f596290591d14098c36d978b2e1fdba3c3712c9099923bc0a709c5c0ebd7eea868f63dfbcc69cdf5a9325b8a67006b6
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  bin/vs/basic-languages/cpp/cpp.js
- Size
  
  5KB
- MD5
  
  0a16509e6cd0155fb622e785cfe976c7
- SHA1
  
  7afa7f823191c43d7a4bdd7d91577495de62c21a
- SHA256
  
  a7c2bea7ca3d9e203a3a286735945fe010c8f4f8d46620386ee8befc6a78b32b
- SHA512
  
  2cbc48cb10c467561c6a84f59405e9c2f864640b3a21e6fe5cd14ad1a7ca5667b766b3c0511df26f28205dd17338a878bd1164a4f5875235a73214f3e4aeb49d
- SSDEEP
  
  96:hFDMgRs/rbV1+gqVV1+/LVb9ZRC2seM6jjz13MwVcEghhb6Yw76wGcmvRBNIs:hZGrTOcVv5M61h8hSeiYL
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  bin/vs/basic-languages/csharp/csharp.js
- Size
  
  4KB
- MD5
  
  f8f841d13c9220e15dcd6bc386b37ba2
- SHA1
  
  2b8b7003820d19ed83afde98c845db5e3d5753f8
- SHA256
  
  6b3be9a86ee8e3202f51745d94d24cc1eefbcf7d9e6d94fbaf70146b084e835f
- SHA512
  
  0b167865b8d7847792c80144e83bdf33655db6ecc0934bb3290f8b5793fee8168aeaf9d74b3541a9424c4f180aad496c2d8710e3847a5bf9d4b2c960ddea4ae5
- SSDEEP
  
  96:hFDMgRsVx+rbV1+gqGV1+hmQuq1cBh8b7gj8/pLxb6J994wGcKU7dYIkI:hZi+rTtPsRXpw9SiKUJGI
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  bin/vs/basic-languages/csp/csp.js
- Size
  
  1KB
- MD5
  
  22ada25d590811dcff4e5f5d698e583b
- SHA1
  
  c43d4846967d5037ef05b102e49d1fbc54e45fbc
- SHA256
  
  4b5a5d7d50986b86b00833447e097c0f01a4388ce1765b48e7e371d06e3a4789
- SHA512
  
  c8373ea0b78114f82e8bf027473f72ada0d8acd51623152a0072111d8b3b7d5ac310a1cc510c4e4cd2e97a7686db3c87b2da675fc910898bd11108e4b50ed189
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  bin/vs/basic-languages/css/css.js
- Size
  
  4KB
- MD5
  
  49ad30f1151cfd7a74677fdc6dd13da9
- SHA1
  
  286d47f0a4cfa26da2e4d1f1317a8c87000bb5fc
- SHA256
  
  bd331fd3bd2c37b0c3150035325f163ac9266bf6d942310764815e676d856d91
- SHA512
  
  7337706bfd5bd54938da0fba35e97f8e5780491c04b58d43fc6d905bd2dca92897f1ed8d48e42665f166da7684cc6e29a63ae73f8d3779a9feb97c397a642f0d
- SSDEEP
  
  96:hFDMgRsozIq+q17qcq6V1+/aMj1cqTroIrqjKf8O3lzXY0Jc:hZzzv9VmjoOf8O39XbJc
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  bin/vs/basic-languages/dockerfile/dockerfile.js
- Size
  
  2KB
- MD5
  
  e32de981bdaf75e6ffb8fe40bc955a68
- SHA1
  
  bef1af7b26ea01c987c7a6295bb7192d83a32068
- SHA256
  
  65b86fc54e9b35d6cb84f01dfb905680dbcad6605757de1d6bca84e3029889af
- SHA512
  
  a3eadd8c1389dff6c2c6e595efff69be3a573d01e4e16b8e4a8b28f63e4c48c9c439b5dd93666d81d703d1c6b5bf927cc8e47d04af270128095f0d579407c2f4
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32