Overview

overview

10

Static

static

1

XWorm V5.6.rar

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V5.6.rar

  • Size

    22.9MB

  • Sample

    250126-r2w2sstqds

  • MD5

    53d050391cb06fce1ea774f183accd92

  • SHA1

    e63d283faaa9140366435bc7c118858564f5da29

  • SHA256

    d76170f4f50b6ec46f1e98734d2c40f59a71ed1c20432bd8a9ddd4e1b34fd2a9

  • SHA512

    3b1b55e3f6ea711284e4334cbb612645698ae5af64b299b2419375d9a872f1cdf60bbb1ef10bf7600b03d9b43c948617be000766ae96353cdb24b531bb9d16e2

  • SSDEEP

    393216:OxUmZ75UDU6Lr+0HMJO+8w26tL1R8syB1fWbAtGrGdy5Y4TGp4oesyFw7uStyJAS:OFgU6Ly0wn8pgLr8syBQAtGZKpOYBh61

Score
10/10
asyncratgurcustormkittyxwormdefaultcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/kh4liddx/KH4LIDDX/releases/download/KH4LIDDX/csrss.exe

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

Mutex

uoqo0jDHykn623lG

Attributes
  • Install_directory

    %Public%

  • install_file

    SystemSettings.exe

  • pastebin_url

    https://pastebin.com/raw/4zaiEtZS

  • telegram

    https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendDocument?chat_id=7537927256&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2001/26/2025%202:45%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Enterprise%20LTSC%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20Admin%0A%F0%9F%86%94%20PC%20=%3E%20UKTNMTZV%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20Kingdom]%0A%F0%9F%94%8D%20IP%20=%3E%20181.215.176.83%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2014%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%200%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%2

https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendDocument?chat_id=753792725

Targets

    • Target

      XWorm V5.6.rar

    • Size

      22.9MB

    • MD5

      53d050391cb06fce1ea774f183accd92

    • SHA1

      e63d283faaa9140366435bc7c118858564f5da29

    • SHA256

      d76170f4f50b6ec46f1e98734d2c40f59a71ed1c20432bd8a9ddd4e1b34fd2a9

    • SHA512

      3b1b55e3f6ea711284e4334cbb612645698ae5af64b299b2419375d9a872f1cdf60bbb1ef10bf7600b03d9b43c948617be000766ae96353cdb24b531bb9d16e2

    • SSDEEP

      393216:OxUmZ75UDU6Lr+0HMJO+8w26tL1R8syB1fWbAtGrGdy5Y4TGp4oesyFw7uStyJAS:OFgU6Ly0wn8pgLr8syBQAtGZKpOYBh61

    Score
    10/10
    asyncratgurcustormkittyxwormdefaultcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      defense_evasion

    • Detect Xworm Payload

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks