xworm | 1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803 | Triage

Sharing

General

Target

cry.exe
Size

1.3MB
Sample

241104-wnkttsxkgk
MD5

a4c1ea4b6e69e69462efa7659ff6f48c
SHA1

cf71024bf28f10f63bf7cd27dba64d406c2ed97c
SHA256

1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
SHA512

be527013711f308bb9a0deb65b11066570e86cee896041d55556dc8566a2476bc96ab089ca155030397d95fd8d358170bc2f5b0bf97efd579dd464b1ca803507
SSDEEP

24576:/84F/cDq4sTq+gdI2W+7nMS9LJf4bcwGCYVgERFh7IfEx0ECnaf:kEcyjgmkMS9L2cFCER0f+0ECna

Score

10^/10

xworm credential_access discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895

Mutex

ZRGtN7NDh24Vx89x

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  cry.exe
- Size
  
  1.3MB
- MD5
  
  a4c1ea4b6e69e69462efa7659ff6f48c
- SHA1
  
  cf71024bf28f10f63bf7cd27dba64d406c2ed97c
- SHA256
  
  1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
- SHA512
  
  be527013711f308bb9a0deb65b11066570e86cee896041d55556dc8566a2476bc96ab089ca155030397d95fd8d358170bc2f5b0bf97efd579dd464b1ca803507
- SSDEEP
  
  24576:/84F/cDq4sTq+gdI2W+7nMS9LJf4bcwGCYVgERFh7IfEx0ECnaf:kEcyjgmkMS9L2cFCER0f+0ECna
Score

10^/10

discovery xworm credential_access execution persistence rat stealer trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Authentication Process

Modify Registry

Credential Access

Modify Authentication Process

Steal Web Session Cookie

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormcredential_accessdiscoveryexecutionpersistenceratstealertrojan