xworm | 8a7e5d36b08e238e067bd6ca7e7ef4d3d76a73b690a389cd46b77542d36b49f1

General

Target

NEXUS MULTI TOOL CB V2.exe
Size

232KB
MD5

fdd20779b1be9cababe4aa6f5890c0cb
SHA1

33dc61b1fdd8cf886b5eb897d41b8b4f16aace70
SHA256

8a7e5d36b08e238e067bd6ca7e7ef4d3d76a73b690a389cd46b77542d36b49f1
SHA512

3c2d2193cf77df541a043204a22e51fa5477cc41b2de72039b275860e298027d2154f954cc2086768fb4b6c24eaa356742a52d5749c3dba313f2830137f2ad63
SSDEEP

6144:mpj7RlW3E+HvNn60YIeZj34lzYffRr80cluBi9:APfkVw3kY327ii9

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

person-bedford.gl.at.ply.gg:99

147.185.221.23:99

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c98-24.dat	family_xworm
behavioral2/files/0x0007000000023c99-35.dat	family_xworm
behavioral2/memory/4748-42-0x0000000000B40000-0x0000000000B5C000-memory.dmp	family_xworm
behavioral2/memory/1184-44-0x0000000000380000-0x0000000000398000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NEXUS MULTI TOOL CB V2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NEXUS PAID V2.exe

Executes dropped EXE 3 IoCs

pid	Process
1932	NEXUS PAID V2.exe
4748	NEXUS PAID.exe
1184	NEXUS!.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	NEXUS PAID.exe
Token: SeDebugPrivilege	1184	NEXUS!.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1932	3352	NEXUS MULTI TOOL CB V2.exe	85
PID 3352 wrote to memory of 1932	3352	NEXUS MULTI TOOL CB V2.exe	85
PID 3352 wrote to memory of 4108	3352	NEXUS MULTI TOOL CB V2.exe	86
PID 3352 wrote to memory of 4108	3352	NEXUS MULTI TOOL CB V2.exe	86
PID 1932 wrote to memory of 4748	1932	NEXUS PAID V2.exe	88
PID 1932 wrote to memory of 4748	1932	NEXUS PAID V2.exe	88
PID 1932 wrote to memory of 1184	1932	NEXUS PAID V2.exe	89
PID 1932 wrote to memory of 1184	1932	NEXUS PAID V2.exe	89
PID 4108 wrote to memory of 2196	4108	cmd.exe	90
PID 4108 wrote to memory of 2196	4108	cmd.exe	90
PID 4108 wrote to memory of 1804	4108	cmd.exe	91
PID 4108 wrote to memory of 1804	4108	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL CB V2.exe
"C:\Users\Admin\AppData\Local\Temp\NEXUS MULTI TOOL CB V2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Roaming\NEXUS PAID V2.exe
  "C:\Users\Admin\AppData\Roaming\NEXUS PAID V2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Roaming\NEXUS PAID.exe
    "C:\Users\Admin\AppData\Roaming\NEXUS PAID.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Users\Admin\AppData\Roaming\NEXUS!.exe
    "C:\Users\Admin\AppData\Roaming\NEXUS!.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2196
- - C:\Windows\system32\where.exe
    where curl
    3⤵
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NEXUS PAID V2.exe

Filesize
193KB

MD5
3a9f7506dfb83a1de0da1886f6ba479f

SHA1
731003b9e24d6e7dcd6c83aacc69de50ad757b03

SHA256
b89cb0a8787fc2b4baef7732bff2136fa6bb647355fb9eff0c77bc44a9f6fbf0

SHA512
72f33db6f1685d2eafc5fba04353132b582c2699366b8520312c493f9502660a37c6b420296a3bc5ede46753a069f4573834b75462507e48a4608d822ae81d20

Download Submit
C:\Users\Admin\AppData\Roaming\NEXUS PAID.exe

Filesize
90KB

MD5
a44c677cc83a7fd4cbd31c9780ce8672

SHA1
5e6191795ae37b408d3dcc5b280ad1be4af3025f

SHA256
743ba0b43dcb8d17ff5e38aeb0e8adb9d625f1646e9662870530cec3d81f5cd2

SHA512
ee073c19334e94b967569ba6335e8570b00ceeea0fdf4d3cfd36eb94a9b9fbee2580d006fdfb4176cc1978aac49a2dca63974cabc3e3c06cf95b6d39ebf00b63

Download Submit
C:\Users\Admin\AppData\Roaming\NEXUS!.exe

Filesize
72KB

MD5
ef3f18621cdfec463a0fc978406bab42

SHA1
a89fa4401443b0d14fe58c1581c67234db5c9446

SHA256
e78d388416a9cee8d3ba6aad01042c38e608da0f2b69ddb2363a468bd62d9a39

SHA512
f809944eacd8096f281927835e82b18aae423152f1bcc947fc7a94fc4a2f2e126d72ee7f6a638f17f090d94b0c550538a99d8a4d2ce89aa2cde96139abaf82db

Download Submit
C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat

Filesize
6KB

MD5
a009efb7ec8161a79566214938b510b9

SHA1
29615bff535c78d75e60c438d0e073393bb92169

SHA256
8414c53566218e87e145cb41419c5c630885e8cb77bf8475268ad6dad409ce42

SHA512
b4c59ec289e8a77c5e7740602f80154c7455d1181c28da36f24db2da632012c4e2d39e213193523514db4839f49307630b11fd29833b181708c61b850ca1e1a6

Download Submit
memory/1184-44-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/1932-17-0x0000000000150000-0x0000000000186000-memory.dmp

Filesize
216KB

Download
memory/1932-19-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-45-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-0-0x00007FFBA0A03000-0x00007FFBA0A05000-memory.dmp

Filesize
8KB

Download
memory/3352-1-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/4748-42-0x0000000000B40000-0x0000000000B5C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing