xworm | ff984e86a415db21ebef7396d3b0d46884300a3b69d3ae4626a3b7dff7ebdbf7

Analysis

max time kernel
7s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-11-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Code Stealer King.exe
Size

362KB
MD5

fca35ebbd101177aeeb22771f19ce660
SHA1

e4458983b396d9f009216ccbd8214311204c2d42
SHA256

ff984e86a415db21ebef7396d3b0d46884300a3b69d3ae4626a3b7dff7ebdbf7
SHA512

36ab1b2e2153dda5e8bf40aeb96f6ae31721f78a29161222d38975f355f003f1ec493e2adfcd2d06be876408a65ff55ba82ed8fc6c3584fe9329d968630a5b92
SSDEEP

6144:0yr8TSA5BssGOE33CFi5f/+3I3x4Hdtj+i3cqA5rGI5/4OTy6zccBamnLoqPdRiy:0RT15B1GOa3C4ZAQ6HdtHpAQI5/4XUBL

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.21:27938

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001f00000002aaff-9.dat	family_xworm
behavioral1/memory/2376-34-0x0000000000C10000-0x0000000000C2A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2376	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	Code Stealer King.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1228	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2376	3612	Code Stealer King.exe	82
PID 3612 wrote to memory of 2376	3612	Code Stealer King.exe	82

C:\Users\Admin\AppData\Local\Temp\Code Stealer King.exe
"C:\Users\Admin\AppData\Local\Temp\Code Stealer King.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\svchost.exe

Filesize
77KB

MD5
7a663541653efa34e7e2aabf0acf6ada

SHA1
ae14101f62220e6435ed3d80e03dbb4e5f29b344

SHA256
829016d508f4064cc618eef8c9250ad000b15355ce563f172e6e54f776c74f9c

SHA512
7267f6b0c41dff35a761171a30ebdfde83e81a29f4511fe808cb28b0d7d0a2a2b101fac57aefe74b9c8475ae37c87471b8dcedf1e9458da5dd8d839270a20508

Download Submit
memory/2376-34-0x0000000000C10000-0x0000000000C2A000-memory.dmp

Filesize
104KB

Download
memory/3612-0-0x00007FFE9D993000-0x00007FFE9D995000-memory.dmp

Filesize
8KB

Download
memory/3612-1-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download