xworm | 3b67604b47e117c1eff51c5e7c26c8258441c8b27809495cc7d0bb407fdbc377

General

Target

BLOODSTEALER.exe
Size

62KB
MD5

d361dc014b73a322681f2fb1e83f9091
SHA1

6411e30e47b02a5ead2d3b8c98105734e2dc8915
SHA256

3b67604b47e117c1eff51c5e7c26c8258441c8b27809495cc7d0bb407fdbc377
SHA512

8ab35a0008bd184296688fac0db593069d4d37da72777b0130ed9d1a46e9eed728e4d74206941c9eb333bd21b91a4158514e888dba0dbe99af0bbbc181fc7591
SSDEEP

1536:96gXIHbI7Ef01kbhEFCJ8nm68shlOTQyAzTUk:v1kbh98n0s7OTIok

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.24:17857

Attributes

Install_directory
%LocalAppData%

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1996-1-0x00000000001E0000-0x00000000001F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
2888	powershell.exe
2072	powershell.exe
2636	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	BLOODSTEALER.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	BLOODSTEALER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2236	powershell.exe
2888	powershell.exe
2072	powershell.exe
2636	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	BLOODSTEALER.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1996	BLOODSTEALER.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2236	1996	BLOODSTEALER.exe	28
PID 1996 wrote to memory of 2236	1996	BLOODSTEALER.exe	28
PID 1996 wrote to memory of 2236	1996	BLOODSTEALER.exe	28
PID 1996 wrote to memory of 2888	1996	BLOODSTEALER.exe	30
PID 1996 wrote to memory of 2888	1996	BLOODSTEALER.exe	30
PID 1996 wrote to memory of 2888	1996	BLOODSTEALER.exe	30
PID 1996 wrote to memory of 2072	1996	BLOODSTEALER.exe	32
PID 1996 wrote to memory of 2072	1996	BLOODSTEALER.exe	32
PID 1996 wrote to memory of 2072	1996	BLOODSTEALER.exe	32
PID 1996 wrote to memory of 2636	1996	BLOODSTEALER.exe	34
PID 1996 wrote to memory of 2636	1996	BLOODSTEALER.exe	34
PID 1996 wrote to memory of 2636	1996	BLOODSTEALER.exe	34

C:\Users\Admin\AppData\Local\Temp\BLOODSTEALER.exe
"C:\Users\Admin\AppData\Local\Temp\BLOODSTEALER.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLOODSTEALER.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLOODSTEALER.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Discord'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6445a9a21a9076a96d064668bed18fd5

SHA1
afade3e045d578637230ba04f2f95df5c29eabb2

SHA256
1f41400108652acf92dc555bdc524df6cc1e1387f6dbd7eb3b0e84f32b542528

SHA512
5acef4d3e7947a077f455d49b209fb84257bed04ef5391141b6c11635a39d68d706920f59e37a33d573938c00ff50179f897ecd0d4877326d354f2bc2bfa4ca3

Download Submit
memory/1996-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/1996-31-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1996-32-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/1996-33-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2236-6-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2236-7-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2236-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2888-14-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2888-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing