xworm | be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c

General

Target

be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe
Size

2.4MB
MD5

bdc6432b365c256c5d0efe8d66122e8f
SHA1

1ca7dda606a3b2204f35e43abb68b04c97063d36
SHA256

be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c
SHA512

3d28acbe162b0d88f1b3ca8a034c010a973ccc05ff3f0f0a9dbb902f98924cae1bce5f1b9f20f58567669503c41e9696000fb27edda4416398f0e7aac525b767
SSDEEP

49152:+2uqU+xRoatgQBJKweR4RF8gAGBJ7dj9Shv68pd3hm/F4OGP6:+2uOxRoaOQBEws4gWrhcoq3HOz

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

93.123.109.89:7000

Attributes

Install_directory
%Temp%
install_file
ApplicationFrameHost.exe
telegram
https://api.telegram.org/bot7026989332:AAGmlQvBZEqqtR_5LGfdSJ8B_oJ6WH5oCYY

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0008000000016dc6-10.dat	family_xworm
behavioral4/memory/2800-12-0x00000000012C0000-0x00000000012D8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2676	Ocean.exe
2800	ApplicationFrameHost.exe
1236	Process not Found
2808	b0hiYfRcfR.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe
1236	Process not Found
2676	Ocean.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2808	b0hiYfRcfR.exe
2808	b0hiYfRcfR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2808	b0hiYfRcfR.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	Ocean.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	ApplicationFrameHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2676	Ocean.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2676	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	31
PID 2848 wrote to memory of 2676	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	31
PID 2848 wrote to memory of 2676	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	31
PID 2848 wrote to memory of 2800	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	32
PID 2848 wrote to memory of 2800	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	32
PID 2848 wrote to memory of 2800	2848	be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe	32
PID 2676 wrote to memory of 2808	2676	Ocean.exe	35
PID 2676 wrote to memory of 2808	2676	Ocean.exe	35
PID 2676 wrote to memory of 2808	2676	Ocean.exe	35

C:\Users\Admin\AppData\Local\Temp\be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe
"C:\Users\Admin\AppData\Local\Temp\be69709414e60eae521dc4b85784bceda124959adc21b554aaa660707dbbe89c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\Ocean.exe
  "C:\Users\Admin\AppData\Local\Temp\Ocean.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\ATR0r37g\b0hiYfRcfR.exe
    C:\Users\Admin\AppData\Local\Temp\ATR0r37g\b0hiYfRcfR.exe 21211232
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2808
- C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
  "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe

Filesize
73KB

MD5
59304b625ddc6fa1d95bc09cf84b2fa6

SHA1
e3e14f54a6471570c3e10cc257fa8bedd5492d49

SHA256
440e5bf83310276bef2e72668283fda8eb1e84bdf902632fe0571bfe1ba61204

SHA512
0309e04719424ad52b9bf07c8801ace891b8ffdc1c1f69bae7269086ef296f576bd89d9b1a70b62d4545d83b952439b12de5b17d6e51a187068dd222414ec167

Download Submit
\Users\Admin\AppData\Local\Temp\ATR0r37g\b0hiYfRcfR.exe

Filesize
8.1MB

MD5
48967405474815a1f0b8fa45c903d39b

SHA1
92bf307858683ad603f733e1c46f7c381df28cb3

SHA256
ba96f800395c8573d39f030fdd5e14617029f51f81c83fe9d2111ba7c7ce83e7

SHA512
bad508b5fdf2dc4f9cc8329b2ce372cf9e7a392ea44a4c18c40e89ab04b3b51dc6476d73bc5b46910bddaed96f39c30cacb55ce29993ca6786fc7665de71eb35

Download Submit
\Users\Admin\AppData\Local\Temp\Ocean.exe

Filesize
2.3MB

MD5
286efca498147dedaf4169e9bb297b52

SHA1
a88b65dc85d209a26da56c1d31fc63edb99d0819

SHA256
de824109d13ae96a87c2cfabbc650e05765e1ae36ebe69c4bf16d253f3e7f53d

SHA512
3b4149969308e53bf4f37af4f71d47199f6ba0198fd6e9b0a937daf11c728bdf2f695aa2400c1ee0db7708ed5e48b1cce5596b7a5cce9cafa21e6de8eb5c9ad6

Download Submit
memory/2800-12-0x00000000012C0000-0x00000000012D8000-memory.dmp

Filesize
96KB

Download
memory/2800-16-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-27-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-28-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-36-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/2808-34-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/2808-38-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/2808-39-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/2808-41-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/2808-43-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/2808-46-0x0000000140000000-0x000000014182C000-memory.dmp

Filesize
24.2MB

Download
memory/2848-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000190000-0x0000000000402000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing