xworm | 0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99

General

Target

driver-booster-windows-12.0.0.308-11236.exe
Size

25.3MB
MD5

3bd43fae300070dbf4387ad227fc4fc1
SHA1

d67db4bb37acfb52d7a1922d37b85ce6cc6d753a
SHA256

0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99
SHA512

da65632725340cc32b74a4e999c7a0d7ba7105eba9eab17e0c35ecaffd2205ab7d31d41d11300c5d940f63122020d9aa7a43877a20b22414d25d5d170a9743e6
SSDEEP

393216:9FKV6EAgMhJ5f/3X9F3M9i2DsQ8isPBhHtWrreJwrVF+oNMcT3Xy7yoW:9cMvzXELDs5isPbHtOr7v+oNMsXT

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

MadeInMood1-40937.portmap.host:40937

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012102-5.dat	family_xworm
behavioral1/memory/2964-7-0x0000000000BD0000-0x0000000000BEA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 4 IoCs

pid	Process
2964	XClient.exe
2572	driver-booster-windows-12.0.0.308-11236.exe
2196	driver-booster-windows-12.0.0.308-11236.tmp
2940	setup.exe

Loads dropped DLL 8 IoCs

pid	Process
2572	driver-booster-windows-12.0.0.308-11236.exe
2196	driver-booster-windows-12.0.0.308-11236.tmp
2196	driver-booster-windows-12.0.0.308-11236.tmp
2196	driver-booster-windows-12.0.0.308-11236.tmp
2940	setup.exe
2940	setup.exe
2940	setup.exe
2940	setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver-booster-windows-12.0.0.308-11236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver-booster-windows-12.0.0.308-11236.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2196	driver-booster-windows-12.0.0.308-11236.tmp
2196	driver-booster-windows-12.0.0.308-11236.tmp
2940	setup.exe
2940	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	XClient.exe
Token: SeDebugPrivilege	2196	driver-booster-windows-12.0.0.308-11236.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2940	setup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2964	2408	driver-booster-windows-12.0.0.308-11236.exe	28
PID 2408 wrote to memory of 2964	2408	driver-booster-windows-12.0.0.308-11236.exe	28
PID 2408 wrote to memory of 2964	2408	driver-booster-windows-12.0.0.308-11236.exe	28
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2408 wrote to memory of 2572	2408	driver-booster-windows-12.0.0.308-11236.exe	29
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2572 wrote to memory of 2196	2572	driver-booster-windows-12.0.0.308-11236.exe	30
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32
PID 2196 wrote to memory of 2940	2196	driver-booster-windows-12.0.0.308-11236.tmp	32

C:\Users\Admin\AppData\Local\Temp\driver-booster-windows-12.0.0.308-11236.exe
"C:\Users\Admin\AppData\Local\Temp\driver-booster-windows-12.0.0.308-11236.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe
  "C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\is-MQPTJ.tmp\driver-booster-windows-12.0.0.308-11236.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MQPTJ.tmp\driver-booster-windows-12.0.0.308-11236.tmp" /SL5="$500EE,25692353,139264,C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\is-PEM75.tmp-dbinst\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-PEM75.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe" /title="Driver Booster 8" /dbver=8.2.0.314 /eula="C:\Users\Admin\AppData\Local\Temp\is-PEM75.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1728579738\ENGLISH.lng

Filesize
18KB

MD5
385e3363164f2fbc7d87cabd20b9d988

SHA1
20886b519dcf58fcfa07b42cd0aa1d597b8087c2

SHA256
e05b8dd4fd12ac5ed2e24273fae743dac95d87851a4da2cb3c51abaa8d4b6200

SHA512
0731977ff05c1c1a96efbd388bf6847b19bda70cbac4c2f173ee1dee2ec3d448102945676da9149950ac27abd85591802ec660d4f66f0145b73d1c797c73d63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\45575.7099234259\install_cfg.upt

Filesize
2KB

MD5
d8d534176371d50f83a71426414d8c4b

SHA1
c60f9d72fefa153f65bc87fe32e0af065115082f

SHA256
b1ab16262ba915d6699d022dec969800548cb4272fb120820b8e391d8b529881

SHA512
2812a71a0c256c2479d02fb8ed7ce3db728f81422d0463e3039f00f1064b976ec8ba77f912760c0558b22ca015c482ae46b0015ae21d528d95360e86936141e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MQPTJ.tmp\driver-booster-windows-12.0.0.308-11236.tmp

Filesize
1.2MB

MD5
5e68859c0b4a4b3a30bdfc94b8317bc9

SHA1
06a34be233b89832090eb8f646c968a09d40a145

SHA256
3e9126730a72f811dffc8f6e598af754ec598fd8f864704c372c37a07c559956

SHA512
36c45a8c41b800a548003319c46b880d4fe8194df72e791519c491b58e8256fd18ecd2cf5c494561ba89213e1c696914ab5576a453b3dc01b29dd72a60cdfea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PEM75.tmp-dbinst\setup.exe

Filesize
7.1MB

MD5
37a7f71eb59a663fdc4945d47c2f97d7

SHA1
4cefdf21fbe991cb6bfb0d7905f0f6dc9717dc61

SHA256
bd9219966fd8c175dd0fd96c58f31fa060319aa96c499c66c761ef6bdc68aa75

SHA512
7f5fc8a5d2503a95be0f341f30dddd3a2fb5287f3231e5662b1d17d494a42f9d8f15dda9c9bb32fec91611633550bce0efd2428591ca3969ec95e9fe82ab223a

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
80KB

MD5
3f20e1848d5e3caf88f26d40ba4a1c9f

SHA1
8ba9589078750ed15638770f4b863c33304e0be6

SHA256
5820f1e5bea3eb1ec8b1ff956715764e02d41e7545ed3439db88914f2c733758

SHA512
d261ba186a751713e223697339c4c2119e462ebef288b6afa2d3c508990a16078de9857b3c2d67b4786cd4b5c45c67e3d1dbe7f0385b6b94640b771ba558fadd

Download Submit
C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe

Filesize
25.2MB

MD5
b1536eac5254923e8379419c47d38b92

SHA1
7daa851d4b36adb2123f6ec1d00b0a92b6278b12

SHA256
ea5926dda070d8ede648439431afa1d6080e4ad50892615c4a6bacd4f9d5add3

SHA512
1eb0eedd0f073ddf5dbd9decc79b138da16f952bff646a19704e6029a7ebf094d38eadae75d93ec7e18d473cfe8879aa3a0dff1f6686213a5e623350ebe04577

Download Submit
\Users\Admin\AppData\Local\Temp\is-PEM75.tmp\DriverBooster.exe

Filesize
7.8MB

MD5
2ad567d4d8c3e26b99dd567f63739611

SHA1
2d2c34f50f2a106227e319fdb13378c0c312dea9

SHA256
34fc1c119243610d66beb2bea596039eb149e11113829d3fa2248ae506e02bdd

SHA512
2883aa3df3cb04f630ea53f365e3261c8dd1fbd771efffcee6b2e9319e4814d669ffef4b05720b438b0ab9e44365c162e63fdc7956fb89a0ce20e0884219d7a5

Download Submit
memory/2196-66-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2408-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000000CE0000-0x0000000002634000-memory.dmp

Filesize
25.3MB

Download
memory/2572-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-17-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2572-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2940-184-0x0000000000400000-0x0000000000B5C000-memory.dmp

Filesize
7.4MB

Download
memory/2964-26-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/2964-8-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-7-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/2964-183-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing