xworm | 89751d8b2b5ff207f8a7da0605086c675471f47830c29357d42006eb2598262a

General

Target

XClient.exe
Size

80KB
MD5

2549b9c24b00e10d1d1b19ed18abea56
SHA1

71135d2dccd4f4cdcefdd0cf2b59fe7d7fa51897
SHA256

89751d8b2b5ff207f8a7da0605086c675471f47830c29357d42006eb2598262a
SHA512

52c672a7bb9c2b426ad6d4ee201c18fe751836f3b0fd4dea8c76e86c16fb47afe0f1a6443af323ccef6a549eb88af73250c59af9e4000784afb2ca7ca3509afa
SSDEEP

1536:6C1htydn6LwUGd8H0qlKhxGeB9VxgCR939beP8e5Lkkma6R1DTgbi55oOLuXnvKL:6CxicwUU3jvGeBTR19bePvgkmfgYoOCe

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

america-depending.gl.at.ply.gg:22525

Attributes

Install_directory
%AppData%
install_file
fix solve.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/628-1-0x0000000000C30000-0x0000000000C4A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
2632	powershell.exe
1832	powershell.exe
2816	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fix solve.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fix solve.lnk	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
628	XClient.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1832	powershell.exe
2816	powershell.exe
2692	powershell.exe
2632	powershell.exe
628	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	XClient.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	628	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
628	XClient.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1832	628	XClient.exe	31
PID 628 wrote to memory of 1832	628	XClient.exe	31
PID 628 wrote to memory of 1832	628	XClient.exe	31
PID 628 wrote to memory of 2816	628	XClient.exe	33
PID 628 wrote to memory of 2816	628	XClient.exe	33
PID 628 wrote to memory of 2816	628	XClient.exe	33
PID 628 wrote to memory of 2692	628	XClient.exe	35
PID 628 wrote to memory of 2692	628	XClient.exe	35
PID 628 wrote to memory of 2692	628	XClient.exe	35
PID 628 wrote to memory of 2632	628	XClient.exe	37
PID 628 wrote to memory of 2632	628	XClient.exe	37
PID 628 wrote to memory of 2632	628	XClient.exe	37

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\fix solve.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix solve.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

DNS

america-depending.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

america-depending.gl.at.ply.gg

IN A

Response

america-depending.gl.at.ply.gg

IN A

147.185.221.25
DNS

america-depending.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

america-depending.gl.at.ply.gg

IN A
DNS

america-depending.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

america-depending.gl.at.ply.gg

IN A
DNS

america-depending.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

america-depending.gl.at.ply.gg

IN A

147.185.221.25:22525

america-depending.gl.at.ply.gg

XClient.exe

2.5kB
52 B
11
1

8.8.8.8:53

america-depending.gl.at.ply.gg

dns

XClient.exe

304 B
92 B
4
1

DNS Request

america-depending.gl.at.ply.gg

DNS Request

america-depending.gl.at.ply.gg

DNS Request

america-depending.gl.at.ply.gg

DNS Request

america-depending.gl.at.ply.gg

DNS Response

147.185.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSBJOB3SDGLLSMYLSO2R.temp

Filesize
7KB

MD5
91e4060194e2066afe1c1ea7a7088d5f

SHA1
f57d36c11de6988c6d1ab57170cea5a9eb63d8ca

SHA256
e2d8af3b33b3cf5b26680398a4454ff03c775f04f584ad54a81d6561a7138f65

SHA512
303c1da3c8705e2197d0bc6bd0b650508f2c9a072274134f5e6f8c5f6a67ba429f838617b1ff17728d95a748edb88e18d0600aae4eaeddf98cc385d157709b03

Download Submit
memory/628-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/628-1-0x0000000000C30000-0x0000000000C4A000-memory.dmp

Filesize
104KB

Download
memory/628-31-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/628-32-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/628-33-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1832-6-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1832-7-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1832-8-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2816-14-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2816-15-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.