xworm | 4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e

Resubmissions

18-12-2024 07:37

241218-jf8vga1lel 10

18-12-2024 07:34

241218-jd6bka1kgm 10

Analysis

max time kernel
835s
max time network
836s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

49KB
MD5

89bc15122f16df2eb618add250990ad0
SHA1

47e459aa4ed8a83a84a4912db8a1dc61fb8a6375
SHA256

4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e
SHA512

4d465eeffb4cc1f886614e35b2075a97d604fd131acba2119ff0c7c5c43e9ba90006f67334195f7c415c888b3ef8441e13e3b4890968c8d547258e2e51d5cbfb
SSDEEP

768:+WFNI2RdYFIOoUHEdc8e6akgkb1gndeaet/OtsXhMHN50w:+87nYercEdclHkb1gncFO8eH70w

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/hMSQvtUM

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2668-5-0x0000000000C10000-0x0000000000C1E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2668-1-0x0000000000CE0000-0x0000000000CF2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	XClient.exe
2668	XClient.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/2668-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-3-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-4-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2668-5-0x0000000000C10000-0x0000000000C1E000-memory.dmp

Filesize
56KB

Download
memory/2668-6-0x000000001BB50000-0x000000001BC00000-memory.dmp

Filesize
704KB

Download
memory/2668-7-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2668-8-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download