xworm

Sharing

Copy URL

Twitter E-mail

General

Target

fudcrypto.zip
Size

212KB
Sample

241121-b7bp2sxpew
MD5

8989cf7b833dc53bafc8ec626c3c13d8
SHA1

f5bbc5d9eb758a286de576bfb7b08e79d0bd7acb
SHA256

d074441c881b5ba2b3f238a730edbb942b0dfb97114e1a06ebd4872282a654ef
SHA512

7b373981cf06727207b8177aced9f989270a94635737cc6dbc27c041a3db5559df17987342bcc3d1d3ae8e2770065e27d9eb2c2eb3f92b30f8890a933b03da1e
SSDEEP

6144:B7/IelIkZgzD3ysBmPXjifL7JPkVu0iGty:S6LgzD3oXk7FYJty

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

104.234.114.133:1188

Mutex

cbhMMjEG3bxpp43T

Attributes

Install_directory
%Temp%
install_file
system.exe

aes.plain

Targets

- Target
  
  fudcrypto.zip
- Size
  
  212KB
- MD5
  
  8989cf7b833dc53bafc8ec626c3c13d8
- SHA1
  
  f5bbc5d9eb758a286de576bfb7b08e79d0bd7acb
- SHA256
  
  d074441c881b5ba2b3f238a730edbb942b0dfb97114e1a06ebd4872282a654ef
- SHA512
  
  7b373981cf06727207b8177aced9f989270a94635737cc6dbc27c041a3db5559df17987342bcc3d1d3ae8e2770065e27d9eb2c2eb3f92b30f8890a933b03da1e
- SSDEEP
  
  6144:B7/IelIkZgzD3ysBmPXjifL7JPkVu0iGty:S6LgzD3oXk7FYJty
Score

10^/10

xworm discovery persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  fud crypto/AUTHZAX.DLL
- Size
  
  67KB
- MD5
  
  6d7aaaadf2bb5a485c9af58f73641379
- SHA1
  
  0cf59ade584b41a987cd256172633d5f78bdd64d
- SHA256
  
  21bd2da73c0fd41e35999b01e695e8187741812a138494ad4b2d3c4e5241937d
- SHA512
  
  ce97970c9cd42944c4d08438962297e3215595254776db6d732298984ccd9ee8778ec83b5f39d229d89b6fc4c0d49647a78120fce0acc03fa3bb60ea91cfd6b0
- SSDEEP
  
  768:hV2w7WuYlsz1Zha3S0EJaKZf3VcvB/2AgbfViz7/TFFGVOucKfsgx9e3PlYZKO+Q:mwJYKs8XMTf7/TX6e3PYKO+oU795Y
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral3 behavioral4
- Target
  
  fud crypto/BCSAutogen.dll
- Size
  
  48KB
- MD5
  
  16e35e8821dc8d90348f274efa941792
- SHA1
  
  698599ee94bf4e4c271e989699e288bbd5fc31e3
- SHA256
  
  c37325c2ce7803f93033090a477df7a8588d5a1cdef6cc0cea44e299bf8da989
- SHA512
  
  879dd4c8cd4bdf4ffbbb6affd259ff47bf4077e6686808a91b10fc0fdb234139dc3ed69e40ce3ca31f0b0bb1d7ea940fd0b6c0317e0865883eb2283c50abfdc9
- SSDEEP
  
  768:OmA/lY8mNiYiVvpT/Ix7Y40DX/AdFepp83LSw2eAOswwbz64cROMi2jpv:mlYH6vdw0/AS+WeAOsfbz64g595
Score

1^/10
behavioral5 behavioral6
- Target
  
  fud crypto/BCSClient.Msg.dll
- Size
  
  38KB
- MD5
  
  5cb87afc5f4c9c46819d26d8fa3f5c44
- SHA1
  
  706c5a662a7dd76cf5ba832fba1835528931d863
- SHA256
  
  49871714d54dc38e91777cfb4cdc9117cc7b22693db054851b1992202ba4b7e1
- SHA512
  
  eadca1a9437793b4d4fd6eeeab247051b0fd594d94b990d3f7b0328e82bab62282d4d2e93b83e68d0638b6587db7eefd9b87bc2331e05f236e9426e0954889f6
- SSDEEP
  
  384:uTKH7lynP81JsaRSJt/KQocMIq8MffHI3rbZKpUMFLXci2jpv3q:uTg7eP81Kast/KzHABuZMi2jpv6
Score

1^/10
behavioral7 behavioral8
- Target
  
  fud crypto/BCSClientManifest.man
- Size
  
  26KB
- MD5
  
  c4c6784105d983283dcbd7b1ac029607
- SHA1
  
  45e886143624b97434c3debc8afa55610c18caa0
- SHA256
  
  a6d5423d5492da4188b2c82a59f20e610c419ee310972f99543c253b2be51647
- SHA512
  
  34c0a403dae15d208ab4bdfcf07952c753369ca18eb0759a0d6c1b2ba2b2a75a1142e0e37bcedd86e2b6c21b52c635581fd5904b6a86d8f60c4255f86ed8d7de
- SSDEEP
  
  384:3PXtI114fR94RXEYaSr1779+HF3IV/OKscgcxUzDNFpn:8uzfpn
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  fud crypto/BCSEvents.man
- Size
  
  35KB
- MD5
  
  c6696bb4b2e515f2240bea9e998be82f
- SHA1
  
  88747757c0e8e6f66ba1cf0c559b7d7be4074d2e
- SHA256
  
  45f763a5258f39a14872b4823b203ccf311bc1bc4e9a3bfeb7e2afdb51cc36ec
- SHA512
  
  e4139f5b56b012f4601c59c29e11976559f6959722c4b690ed9abfadce3779817f4c97dff05068e6853959aca1f5bc8661c434918c9c5c25160198ef5823a335
- SSDEEP
  
  768:GD/741Xy3AxbsRKXS2dUmJBe7I+tGB+D0DiPpS3Onq3OCDIq3ONh+q3OYcvq3O6j:GQ+
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  fud crypto/fudcrypto.exe
- Size
  
  212KB
- MD5
  
  eea17ac368bc01f9f8a3e0103cf5b6e6
- SHA1
  
  d4df74f888d9025497c9e4b418c65cfa2c0ab2c0
- SHA256
  
  de1d872fa35b4ec1a843db9c63fc7e4590fd3b7b250ab5c6a492630ab68b5886
- SHA512
  
  cf297ea8ec540354a22fd046d34f6fc93e74bfe474e4729531263180e4cb35af48c0b6614f5a88c72f0bf767890109eba13c8eca3c9f1f6abaffe7cacabaaccf
- SSDEEP
  
  3072:Fm18FOY1Y10lDPANA8nL8U0TaxzKJltDM7t7aAwA9u7m0Vuth4R1:cEDoTnL8hDY7JPCVu0
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Executes dropped EXE

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Detect Xworm Payload

Xworm

Xworm family

Executes dropped EXE

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14