xworm | ff984e86a415db21ebef7396d3b0d46884300a3b69d3ae4626a3b7dff7ebdbf7

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CodeStealerKing.exe
Size

362KB
MD5

fca35ebbd101177aeeb22771f19ce660
SHA1

e4458983b396d9f009216ccbd8214311204c2d42
SHA256

ff984e86a415db21ebef7396d3b0d46884300a3b69d3ae4626a3b7dff7ebdbf7
SHA512

36ab1b2e2153dda5e8bf40aeb96f6ae31721f78a29161222d38975f355f003f1ec493e2adfcd2d06be876408a65ff55ba82ed8fc6c3584fe9329d968630a5b92
SSDEEP

6144:0yr8TSA5BssGOE33CFi5f/+3I3x4Hdtj+i3cqA5rGI5/4OTy6zccBamnLoqPdRiy:0RT15B1GOa3C4ZAQ6HdtHpAQI5/4XUBL

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.21:27938

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cab-7.dat	family_xworm
behavioral2/memory/3144-34-0x0000000000590000-0x00000000005AA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	CodeStealerKing.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	CodeStealerKing.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4280	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3144	4316	CodeStealerKing.exe	87
PID 4316 wrote to memory of 3144	4316	CodeStealerKing.exe	87

C:\Users\Admin\AppData\Local\Temp\CodeStealerKing.exe
"C:\Users\Admin\AppData\Local\Temp\CodeStealerKing.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\svchost.exe

Filesize
77KB

MD5
7a663541653efa34e7e2aabf0acf6ada

SHA1
ae14101f62220e6435ed3d80e03dbb4e5f29b344

SHA256
829016d508f4064cc618eef8c9250ad000b15355ce563f172e6e54f776c74f9c

SHA512
7267f6b0c41dff35a761171a30ebdfde83e81a29f4511fe808cb28b0d7d0a2a2b101fac57aefe74b9c8475ae37c87471b8dcedf1e9458da5dd8d839270a20508

Download Submit
memory/3144-34-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/4316-0-0x00007FFDF7453000-0x00007FFDF7455000-memory.dmp

Filesize
8KB

Download
memory/4316-1-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download