stormkitty | d6d20f33d5b0928df1cdad670ab8f9fc1fd0f3558a6cd539b46b45fe954949ed

Analysis

max time kernel
409s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 22:43

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XWorm V5.2.rar
Size

30.2MB
MD5

67a05621d5b9df04f7aa15359880ee0c
SHA1

2d420d00e5a6ddd50149e6594ad5a9131238fbcd
SHA256

d6d20f33d5b0928df1cdad670ab8f9fc1fd0f3558a6cd539b46b45fe954949ed
SHA512

48f61ca4b7a3d94630f94660e8cec8fe8f4e881063500d7e0618fe2aa799138c1d0c34c2a2d973a13980fef2c7d14f94e1c47cbe5ec966715d24acc979d1f785
SSDEEP

786432:AyEdI35cJuWL9qeVCp3K7cLpeEJfi2I7auNJuaaJxyXzmM:AI35crZlVCphFrfi37HPnjmM

Score

10^/10

stormkitty xworm agilenet evasion rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

tMXK9LS2nH2o6bKH

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000023c6b-271.dat	disable_win_def
behavioral1/memory/2296-294-0x000000001BE00000-0x000000001BE0E000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000000070f-227.dat	family_xworm
behavioral1/files/0x000400000000073b-239.dat	family_xworm
behavioral1/memory/2296-241-0x0000000000A40000-0x0000000000A4E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c71-277.dat	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe
2296	XClient.exe

Loads dropped DLL 2 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe
2296	XClient.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023c85-191.dat	agile_net
behavioral1/memory/1032-192-0x000001EA6E710000-0x000001EA6F348000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 60003100000000009f59f67d100058574f524d567e312e320000460009000400efbe215af403215af4032e0000009c3b020000000a000000000000000000000000000000bcad1200580057006f0072006d002000560035002e00320000001a000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3336	7zFM.exe
Token: 35	3336	7zFM.exe
Token: SeSecurityPrivilege	3336	7zFM.exe
Token: SeDebugPrivilege	1032	XWormLoader 5.2 x64.exe
Token: 33	4820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4820	AUDIODG.EXE
Token: SeDebugPrivilege	2296	XClient.exe
Token: SeShutdownPrivilege	2296	XClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3336	7zFM.exe
3336	7zFM.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe
1032	XWormLoader 5.2 x64.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1032	XWormLoader 5.2 x64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2236	1032	XWormLoader 5.2 x64.exe	101
PID 1032 wrote to memory of 2236	1032	XWormLoader 5.2 x64.exe	101
PID 2236 wrote to memory of 2024	2236	vbc.exe	102
PID 2236 wrote to memory of 2024	2236	vbc.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3424

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k3sak5e2\k3sak5e2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9929.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3149F3D67574E79BCE680A0C0835266.TMP"
    3⤵
    PID:2024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE80DE83A7\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9929.tmp

Filesize
1KB

MD5
074aed7a3132d02a79c53971247cff3b

SHA1
52175f21fcf85f2f15eece02f71002e9fdff1b5f

SHA256
c0a5d3f7c57d1b196bd03e926cf6d1b779fe8aa321338484a8a865f7b9763bcf

SHA512
e3869cb667e59a72ab7bce6dd5f13b44c125046585ec131452689d2ed4e14a52e53660b28e464535ad0c9f37223381c08906be97625c9cd146f79bc31d9534d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3sak5e2\k3sak5e2.0.vb

Filesize
77KB

MD5
aa82dded78c4e24a7270931a7b5bf506

SHA1
8fc5ed4702af4489ee9233fccfebc9584f163abb

SHA256
efae2d2ad9d335642382fba303dec2315cc3dc07695c849c2346ff433c0bee5f

SHA512
e98e122284573a55359e75689ac6160d1f58148a042f97fa7a08dd2445c04a10a83d4f8da6aabd68b1ec4ff6665edd54701fa04524df4192c8900681c29a1147

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3sak5e2\k3sak5e2.cmdline

Filesize
290B

MD5
14afef898834c470525eefaf2a4ecce3

SHA1
544057e475f68dbaff7b296210f07fcd102db65a

SHA256
9b4619d62a9f6909c4e831b433c5f7655f4c99e03a30d47ca6cf47208bf44495

SHA512
dee15fb4f4199cf3f439c290fab12219d8a045ee8a638e71544d0b050857427f7c79c1f4d4f48fc29b5c0de894d6f7742b391337e793bb7bb1f0d0b7c45d3b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3149F3D67574E79BCE680A0C0835266.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
33KB

MD5
8c71236cc37855d1f80b4dc8e0510256

SHA1
4f37d5d10ebe15c64546bfd800d980a70650fd8c

SHA256
91da5d429d21f841369c008736cd6cb04cb5b91c78bb05b8a10e2d2591dec496

SHA512
02652bb35a95d084c16a9a8d83f46fe745acfc1fd838871110eaaf49f13cb9c90064b02e421245351b4994ea110c6d77798709061af22193a4bf2040e21a5b02

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
eea1f284c21e67f9ae71822798793c28

SHA1
ce3187b35a736a3c18f10f449dfcb793c95dca26

SHA256
77ec3eee197d5c4b9ed3d6c059061c52615276360fe11f13f8a6bb6ce429f42b

SHA512
5b3f72d803f250668b9ada77b1a03ecd8662787b8e51c01a4e334503a5f1545ac9dc341804d0d1552e9c35596443e1a610553e3d1ab80aaef6e0f5283384def4

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\All-In-One.dll

Filesize
4.8MB

MD5
f24552f5f604c80ba4cf7afd2143df05

SHA1
98883b7bf9b996c788bb501336e388177b9b19c2

SHA256
e050a91599f3e6a89dc84a4825fdea6c4d66e970472aabf48ff586d79b67898c

SHA512
1edb1f6cc4bdb3b69204fa724b2f8a5205b3251f475ae7cf8cb015220a26e9a976c1baa3c938e8fb9df1470795ff579e21b339b58c79f96af96cfdd17eba6c15

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Chat.dll

Filesize
18KB

MD5
66e4c3a843b1076b96c48cfa0b467bcd

SHA1
2768257ff7ddc6107a576c4b739eeb09689772eb

SHA256
6b5beda1f2423aedaf83f210f8cb719d3f61f9d2cd489690fb0066ff0895ab80

SHA512
7912e5806b169a1da88ebf92842ec410ce3dd8d98578054e77cc4381e90ee174a497ea1f38a54c5c65c8475a7928cfc79ae8dd58b979c18f7133c5c83e145879

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Clipboard.dll

Filesize
14KB

MD5
6ea5b16696c2f2d265c9f864d0c727ba

SHA1
030a0bf757767869428b0a7e11cd40df7a0cfe5a

SHA256
301ab3fe52f974dc5bab98bd127c93d755597fb58a0756539cde7ad4580725b1

SHA512
2426b43886ddf9896d9f27862de08ba9eada25b432c715259b71b000a2b474bcf29ba224ac0f3fad3224ef36b17b250d593f907ce0c18703cc37e152a7321203

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\FileManager.dll

Filesize
679KB

MD5
b9dea988042c4d9878931cac41d61fb8

SHA1
82885bd2d01d27f4ce3741885256d7db418038b7

SHA256
29b44c17c85f05ced52004db716a156fc9e50b52debc8e061e2ea96957cc0d07

SHA512
81192c5b1f2e67787b569218c03e4c274a2184fb0e762afed6e3608995e3e1d1987306f32f64f28bc287fb09746476b4c7c60479fe0a5cefa186e5b208d8bacd

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\FileSeacher.dll

Filesize
478KB

MD5
fe625a7c51e699336f9acc3108437134

SHA1
50099ae8c3679930400261c80ade073157fe4f80

SHA256
68e4e6f42ffdf5ed18f1849e30f83b1baed1cfa57c68f57178bfa875e247c2b7

SHA512
26b9bf3c0b31fe029201c884f7d220b0bfe589d33dd6aa0dfd665c38af07c2352e89859198e0e9b18339c0e6c8f1e9c44358b222106531659aeb0d6f6c6c0c44

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HBrowser.dll

Filesize
25KB

MD5
79f13be3582c42df73033819d093e1f8

SHA1
45c25633bfd0ab3c4f95b7137eb9671b911ea595

SHA256
f38e74a4bee2cf29d710d7c58eb83e548d92604621a8fb076bdc1e79714b9938

SHA512
e6e4331d26f35ac52d3524da0c6cdbb4bb36af54b57c61bce564bfec8663245bc7e5ff192c44a3c731e9ce7b83fdff40f274347a5241f6322833a92df944adb5

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HRDP.dll

Filesize
1.7MB

MD5
4f16882639fc029fc367503eb820c298

SHA1
1e6b1314507e954649604dd9f80b4c45a93d7e89

SHA256
ef238f294111804c44f465d090a1634b6529d1eba85720b2e373d57cd59f75d6

SHA512
1fc02358b8347fac1acf751f7fe9c5d4d17cc35ee3df2052b69fdd518939092b54b8d29ecbf112d53604c087b01728d8961005d3946880df896998526a578ebf

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HVNC.dll

Filesize
58KB

MD5
b5ea6d82ec2d4127124eb9467eb5ce16

SHA1
0a27f08f94a80024854721c73c7715af95581da7

SHA256
ecb1a845bc2e813193e628eea48738f2354eb1ce8902a092118aa48ea2ff4bc7

SHA512
ab459d26ce689d5c7fb533fb754b875896c214e0001ecc6e8b061f7cdaf1aec06400f66f506822775337a42b80f4e1e9ab008a658cfacc873cfa83eaab6f1880

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
14ca9b8f7993924b77078e08ec0d5df5

SHA1
fb2b5717da357f6d13bb1127980c22bada68836a

SHA256
8ab3391fa5880be5991133416bae0d5b76daa2d43c8ff92ff44d6dda23386e57

SHA512
64aac1a872666bce5bb86144a6f96bb6905a2d900d76e8d2d6f1cf8b499baefd35c7fb4d6b5150d5717451c5ad632d677ae6f85737d334a7cebbd9d725c9964f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HiddenApps.dll

Filesize
45KB

MD5
c5efa70a04a026b9a2fa97b1ea43e840

SHA1
aab2de0ab74c12e04256ff2b113b062dc93179e6

SHA256
f9ef7709f34e944d99ca5bef6af1524d7cf3889894084b7ae61e9202f267a728

SHA512
1348d4ebd3ac5b56eb32820ee14f9aee20a43b7dc3d06dd7fd62c8f227b12a27d0c0376c7d858e78315cd92d17e588bc2e37648c04d146530db706e8b3c4ff1d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Informations.dll

Filesize
22KB

MD5
310ba7a07953ed7f783e89bcff6197e3

SHA1
147aa53e0d7cb027e6c67fa50fcb0dc0c770e157

SHA256
b10616eb3f5e4b0ceffc696179cdb616c78ef970dedbac10845a39985c91a38a

SHA512
554ead0f700dd617eed6055a84ecad288c4779ab20206e7434a8f3443a03a95a501014cd52390eb57570c25ea2bd7a298b96e88e8550d10b2a5db4f9633af529

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Keylogger.dll

Filesize
17KB

MD5
40ba99b80654259d0428c7e4f3645948

SHA1
8fa93e0f035694cd8e420aa2232aca859b3a2a6b

SHA256
3361bb2309e4ee31f14081bc170ac530e2ae9d1336026e736190a0304e2e77e4

SHA512
fc1deb29eea114e5a472102a51d49fa253a5c79821acffa930b30089ebecec4312437d4720b46e92149be2ce69aed57dc3939621a596ed6c413397363fa44ee7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Maps.dll

Filesize
15KB

MD5
b74f037f6c6de44e817660922a3044fc

SHA1
eb5acc30d3f607193bd819e8c0cdaaf70295c5b4

SHA256
ccb32961b904a22c2531313ed7c3733d7288daab181074f034eb4c73a0958a65

SHA512
a547961b87ecdbc0f9bf02381f16e03795dc73eda744a86da2cc07c97d7f1b65642971347d1ca69f36ead63c3b9078b6e0f2ecb4b6f2178a3b9a62f3ffb76579

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\MessageBox.dll

Filesize
15KB

MD5
bde9c12607827e21c64e1d64033043b5

SHA1
d980614dda65f1f4c3a73d1f9c8162e597fcac4e

SHA256
2170fe155b56e362500ece32013bbf8d45d5dc93e689ab33d3612066c7450f75

SHA512
e015d9b915b748d1683c18621919161f9d495221c9bf788b661e3eeab60320ee0b0d9d64a393fafa47b521b484f0af2c9948f6dac0a9b7ef1e8910571e7e98eb

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Microphone.dll

Filesize
540KB

MD5
747554e4ca902a8d18b797c2edcb43ed

SHA1
508d7c9f0b031a352a1a1f25d4c6abf4167392d5

SHA256
1f135bc57ea4f44bf8a37d66b42788bed5aba753c5cbd0b4d3349ede64abfc59

SHA512
deb3f480dc7febb1d9ff4ccdb1dd04d83e9fbe7e74fb0dd39d103dbe85fa0c434407ab032e9bca027e38a0f482d08308513cd821b09dc08aafafd905e97126fd

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Ngrok-Disk.dll

Filesize
7.0MB

MD5
4443f2173682ef836df2f89e1b44296e

SHA1
1b0db6530eb5c5404af614143f464d663382c2e4

SHA256
01e170bc479dc22cec4658a39067e001a72a974a4e562aca01162f82decd20b6

SHA512
7bb8df753fc3636d3b01f2145c1df553b34a427a9e07d4c563a1fb2e23480ba2d609658d6ca2c4deaa386feff8af741397a3cbdb15c28157c4cf4ba8244fb61f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Options.dll

Filesize
30KB

MD5
b0ebfc762fd2a7511e819336524551ea

SHA1
b3657c8edc6b9231d16b49bec11f01983d965495

SHA256
bf2978e31b7a1612255ff79217481374ea2ae976c2b8c270ec3eb5324251d8d7

SHA512
2adfff3089ac551ba057f2b4b2d208255a4558abb2761b39fd9cc10f37313386fdc1307fffb80777e0a1b6c1d1dbabf61b26cbff8592e77f982453679145822d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Pastime.dll

Filesize
17KB

MD5
178627a4b30c54d20e5a59049b5af211

SHA1
5ae226eb92df19cb693764509b953bf1dbfeffcd

SHA256
c3ffa5aedbfe2c83e68d7b70afd1adb590801da429c3a5d4fd6da18116ab0cc9

SHA512
75e9684378f5155f228a75c03cb517257e7e04cddf9762e7e5b348f7b30482a9c750cb0285e28279dc9ef740c3ce759e4ebfb4e3efddd094daab7eb3bdf713c8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Performance.dll

Filesize
16KB

MD5
d447b98bf277020e48a04d2771b190ba

SHA1
a9b312d1d858e06156eecab2cd97d246a37822e8

SHA256
57af9bb212361e2dbfe97a784beb2f978426b42f9ea0986f74c8fbfebb630f13

SHA512
8c58bf90c5433005d7e3c8a871171dd5fbc558947d5ce387351fa7625ed6bf2a6b72afa91f8d3c7243c5e950467855838f27b6356266074321204347cded15a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ProcessManager.dll

Filesize
17KB

MD5
12630688eb6538b34e5a392cde76ec09

SHA1
add2c24ef79657f47693995b1ddb2c760520670a

SHA256
8dbffc8d2928cc2fe3dc67b071619419bd4e21506bf8d8b66bbdef54101953d3

SHA512
24da487f34fbad245f64f86b88db8c61041e80956c2befe859903ece46905ded09e90e08f2d148316947dde8a4990bd1c944ad36a96930b197769dab025689e0

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Programs.dll

Filesize
13KB

MD5
c730d22a23fb8ec58f51116e54ac4cc4

SHA1
45c4b19479d6e58736630db5405dd58450a601dc

SHA256
4bfe2b70271956dbcf08086ff04bc36a23928d974469ffeaca97ed5ad5b6dcfb

SHA512
da5d553e1e470958db4565699f0d2a58c9ab8a653b34003fd33758ed85f1a4f3c027064fcd0c24dae3ba88f7adc22f9b45ff55c22e2b29cbc0cf8f0b7293f7db

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Ransomware.dll

Filesize
20KB

MD5
e55dfe70871fb442f8b8eea790875a7c

SHA1
0f659147ad89de0dadca9d74abb0854ec64ae403

SHA256
b0ccb9a2bef7fd24d7f31bb70a8516129a099b47d2564f9f18cb0d87144fc5da

SHA512
daf5fc4a89d841a04b2b6fd8e516d7efa3baa08710af6ff85c57771d99a2ee07da4c2482baed9ecdae54e3eca2d840341ee3371a826cf26fb180dfba864e63a8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Recovery.dll

Filesize
1.1MB

MD5
be590ee7d8c0366cc28c200308ba0823

SHA1
0fa6c6ca44893c45f115e446566f0d4dcf5168d6

SHA256
a81e4efc2c85a4f8fed46b9b0f3bd3c2a750a3047ae7ce5b29f21df52d85dfbb

SHA512
cbbb4c62d703bf8dd0e0e34b438401710c1bd62c82f71060483f4a84dfaa802a9b0d39b904d6f77cf4ef0b630f173f66f349497d53a6039c640e0f4301e26041

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Regedit.dll

Filesize
15KB

MD5
d92b2e7472ec9cb8b803bc039558c828

SHA1
0ca9e950b5ef64e3cdd23a31a2b51ad2b82581de

SHA256
1989885e6f4f459b4ef37ab11e97ffe8c1598a8189eb3a4110f259357af2414f

SHA512
ef4ded6ae8349a58a0745aa55ad96530d028f8137437124b02a80b332e2801447dde2e6e908e48151ee7102868676ef435fe5ecf0ebd980f497435e58e599171

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\RemoteDesktop.dll

Filesize
18KB

MD5
f4e00005c72b4331eb0e9243346d3e1d

SHA1
f8afb37fc362430b4045cd2f22e5a5cdaca43ace

SHA256
9bcf8dfc92bc643b9414a446da4632050de1b7577fedf4f7711d3b4b3d46e06d

SHA512
7e9be2c2a247a7ee067b156062098a2494113ca935c83a6c8723ee2fe3b7ae15ce5addac5630b8aaba9b12d52896127609f8d7974bb622b79d9a8dddd6c7a155

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ReverseProxy.dll

Filesize
16KB

MD5
a4bd2edda7e214bc50ec559c15cf81c1

SHA1
1f268ba761ef9dd38d74d3eead9289a2a35d21a4

SHA256
9fd3621ffec11e0ad254b37ce4fe527f82461b67cc8d8827532d3573a011e2e3

SHA512
b3d8857b0fc31c5fafc8552e54c34b2e463f5dba2d167ecf41e5c22aca8a36ea352a4aa1baac73278c409f975e4c68ecc55e0c085280c62151e7898b59a4bbff

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\RunPE.dll

Filesize
11KB

MD5
e8f0b68716a0bc4459601623c5c3c757

SHA1
261e11edb2ec5b14d8feaf80d6a8e966da1817f8

SHA256
0f075f2dd5a41d601329c4bff57ff38302e1da2ad149399f7f2776e640063502

SHA512
5539be32acecb59e43eb35ef9971b82764ed6bb5cc50b02ca0921ec30ccbb4d49a743262350ec9860bc669000e6511d3b3dcba0a37a5360f3f6ff4af2bc420bf

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ServiceManager.dll

Filesize
14KB

MD5
539b869c8fde6159f832e9b851bab6c7

SHA1
1e5b134d538d9c2eef53e4ecd04b806f4990cc74

SHA256
79ae4fdfc5edc08cea5520fe1e8fc448991903c493a02e9fda407bc825b330e9

SHA512
47dc3e66b4e32cb3bc1e2583e852cad7c211defe529d2ed7fce18587b4c1515bd5b5c5720f9ba0c1d9d022ff537abf827ed483e09fe63dfcf05bee4c07434631

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Shell.dll

Filesize
15KB

MD5
cb3bd9515eeccc9042757756ab7dd962

SHA1
c562da19fdc78c12685a0b1913bdf74067612b25

SHA256
e1cd982074254a8290fac19cd6d657dea80e4e70fb2742dae1137d895c3a09d8

SHA512
b1f5b6bea6ec21ae855c92871d396ae5139d028fd9f8e6d23706fc2abb97e3810b5b90ce70f2f399040436d5c4e47d64c5506464b26081fcfcb99dd91d1ac33f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\StartupManager.dll

Filesize
189KB

MD5
cc42a1c35fa6857707755c4b7eebaade

SHA1
ddc1db3a8571e1d5da140f3500e26bf1a03acc03

SHA256
28533cf4dc5b93d9ec547c2a7649958e6c3b2906ddc43175af0a94439596bee9

SHA512
120c1481566b2c341cb9ffc90c821b1823870b9a671913ff5db9b8802f3fd120570dfe7c9928a038f3bf8a838a63a9ea5b3819a47bdbd9827f1024d79a70cbcb

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Stealer.dll

Filesize
3.3MB

MD5
6cf3156c057817473d7d2239f71d2403

SHA1
36f45d7a326054e231b77b6021392d35898096ec

SHA256
3257ac3031047fcb719a8f82bd54ce42a6d542a97dd0149da08957a0c479e7fc

SHA512
3828f10081ef476cce1832ae8b3f68d7efaf539903f9d4f4e6fc4ef19feb87cb2d63409d5057e5d6d4b46e229d9ca10e39917a5c1902c55a3ce01cf18d67526d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\TCPConnections.dll

Filesize
16KB

MD5
fad421f5c9feb27d771e9aa9c33a8d16

SHA1
f1807d942d08918180f4b8b3ab4d12be167e5634

SHA256
44eba556913d0d5ef327e19e98b8ba0e9d37fe720c9defa48124582726bbd234

SHA512
f3aa58cfac5db09912aedf2f6a63f7d9feb4b86c2fe0cece9851f7e618571019068e086c328ed5eb83124207818a2d0963139e852136c7a1e66d923870e8dd40

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\UACBypass.dll

Filesize
10KB

MD5
2bb895a2756541eea6da91beb2fde3e9

SHA1
da43a05730311acb92c0b2dab8542672394531cb

SHA256
145e3437ffc5c875d16d3a14921c81b58f84d86123ae9ec23c3dd69a00c94377

SHA512
cc80cf2a52fbb9563aa980df9ccf922ed303b286844e138b95cbb2b0417a3ae26f03dd0a578bdefed223ff77e97c4b2b00da363691e26ff7eed228e35194f91f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\WebCam.dll

Filesize
209KB

MD5
0f120604ef985616821459e5ff2feccd

SHA1
100bceb7d6c01b574b7089e999bc05ab3fc0847d

SHA256
a07f0452fc4b47b53ec48d6c790aa4407aee15ec67320c506ba674a1dae551ef

SHA512
d4127d42d61a93e5e02d2e68ca21c91c5ad47e4149e0eecc9902f1daf69a9f52499c16e42bb51993289f5afb7f6f73b76a0d7c4631e8a998aa6c731053385806

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe.Config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
memory/1032-249-0x000001EA7BFF0000-0x000001EA7C0A2000-memory.dmp

Filesize
712KB

Download
memory/1032-180-0x000001EA6CFF0000-0x000001EA6CFF6000-memory.dmp

Filesize
24KB

Download
memory/1032-206-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-205-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-204-0x000001EA6E4A0000-0x000001EA6E694000-memory.dmp

Filesize
2.0MB

Download
memory/1032-202-0x000001EA70C00000-0x000001EA717EC000-memory.dmp

Filesize
11.9MB

Download
memory/1032-201-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-193-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-192-0x000001EA6E710000-0x000001EA6F348000-memory.dmp

Filesize
12.2MB

Download
memory/1032-208-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-190-0x000001EA6D840000-0x000001EA6D85A000-memory.dmp

Filesize
104KB

Download
memory/1032-217-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-215-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-189-0x000001EA6D920000-0x000001EA6D95C000-memory.dmp

Filesize
240KB

Download
memory/1032-187-0x000001EA6B7D0000-0x000001EA6B7D6000-memory.dmp

Filesize
24KB

Download
memory/1032-186-0x000001EA6B750000-0x000001EA6B756000-memory.dmp

Filesize
24KB

Download
memory/1032-185-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-184-0x000001EA6DA70000-0x000001EA6DAC6000-memory.dmp

Filesize
344KB

Download
memory/1032-182-0x000001EA6D8A0000-0x000001EA6D8FE000-memory.dmp

Filesize
376KB

Download
memory/1032-207-0x00007FF980D43000-0x00007FF980D45000-memory.dmp

Filesize
8KB

Download
memory/1032-178-0x000001EA6D020000-0x000001EA6D048000-memory.dmp

Filesize
160KB

Download
memory/1032-176-0x000001EA6CFA0000-0x000001EA6CFE2000-memory.dmp

Filesize
264KB

Download
memory/1032-209-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-174-0x0000000000A60000-0x0000000000A80000-memory.dmp

Filesize
128KB

Download
memory/1032-173-0x00007FF980D43000-0x00007FF980D45000-memory.dmp

Filesize
8KB

Download
memory/1032-210-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-222-0x000001EA7B7C0000-0x000001EA7B928000-memory.dmp

Filesize
1.4MB

Download
memory/1032-213-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-211-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-247-0x000001EA7B6E0000-0x000001EA7B762000-memory.dmp

Filesize
520KB

Download
memory/1032-212-0x00007FF980D40000-0x00007FF981801000-memory.dmp

Filesize
10.8MB

Download
memory/1032-245-0x000001EA7BC20000-0x000001EA7BF02000-memory.dmp

Filesize
2.9MB

Download
memory/1032-243-0x000001EA747E0000-0x000001EA7480C000-memory.dmp

Filesize
176KB

Download
memory/2296-279-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

Filesize
48KB

Download
memory/2296-264-0x000000001DAE0000-0x000000001E008000-memory.dmp

Filesize
5.2MB

Download
memory/2296-241-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2296-263-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

Filesize
48KB

Download
memory/2296-289-0x000000001C280000-0x000000001C2BA000-memory.dmp

Filesize
232KB

Download
memory/2296-294-0x000000001BE00000-0x000000001BE0E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads