xworm | f37e1281da195bfde456802494ecf0b9d7ca54cca6e39bc633cce123a8806357

Analysis

max time kernel
15s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vulturi Stealer‌.exe
Size

532KB
MD5

e62f8723a8831b750c34e1ec7b24c48e
SHA1

906a94b2d84038a5f236d4b8d8dbccbb1f16dc9c
SHA256

f37e1281da195bfde456802494ecf0b9d7ca54cca6e39bc633cce123a8806357
SHA512

dd452900d3c81c2a72c4f3c33b9dfc967477bf88c27da1a9b492ee76329d22b0e2c94563038cf03837408c2ed34bb1e5c05259f25fd116a227fceb4a1b056ea6
SSDEEP

12288:PG/QZccyiGTWFmphezgoYX8OUE46o+wIg1z6S/qrD:PE9iGgskVYMOm6twIg1mS/I

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c09-19.dat	family_xworm
behavioral2/memory/3396-41-0x0000000000110000-0x0000000000128000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1012	powershell.exe
2044	powershell.exe
1540	powershell.exe
5092	powershell.exe
4280	powershell.exe
1828	powershell.exe
852	powershell.exe
4828	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	Vulturi Stealer‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	csrss.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
4216	Vulturi Stealer.exe
3396	svchost.exe
3672	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3396	svchost.exe
3672	csrss.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4280	powershell.exe
4280	powershell.exe
1828	powershell.exe
1828	powershell.exe
4280	powershell.exe
1828	powershell.exe
852	powershell.exe
852	powershell.exe
4828	powershell.exe
4828	powershell.exe
852	powershell.exe
4828	powershell.exe
2044	powershell.exe
2044	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
2044	powershell.exe
5092	powershell.exe
5092	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
5092	powershell.exe
3396	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	svchost.exe
Token: SeDebugPrivilege	3672	csrss.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3396	svchost.exe
Token: SeBackupPrivilege	3980	vssvc.exe
Token: SeRestorePrivilege	3980	vssvc.exe
Token: SeAuditPrivilege	3980	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3396	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4216	4996	Vulturi Stealer‌.exe	90
PID 4996 wrote to memory of 4216	4996	Vulturi Stealer‌.exe	90
PID 4996 wrote to memory of 3396	4996	Vulturi Stealer‌.exe	91
PID 4996 wrote to memory of 3396	4996	Vulturi Stealer‌.exe	91
PID 4996 wrote to memory of 3672	4996	Vulturi Stealer‌.exe	92
PID 4996 wrote to memory of 3672	4996	Vulturi Stealer‌.exe	92
PID 3396 wrote to memory of 4280	3396	svchost.exe	97
PID 3396 wrote to memory of 4280	3396	svchost.exe	97
PID 3672 wrote to memory of 1828	3672	csrss.exe	99
PID 3672 wrote to memory of 1828	3672	csrss.exe	99
PID 3672 wrote to memory of 852	3672	csrss.exe	101
PID 3672 wrote to memory of 852	3672	csrss.exe	101
PID 3396 wrote to memory of 4828	3396	svchost.exe	102
PID 3396 wrote to memory of 4828	3396	svchost.exe	102
PID 3396 wrote to memory of 1012	3396	svchost.exe	105
PID 3396 wrote to memory of 1012	3396	svchost.exe	105
PID 3672 wrote to memory of 2044	3672	csrss.exe	106
PID 3672 wrote to memory of 2044	3672	csrss.exe	106
PID 3396 wrote to memory of 1540	3396	svchost.exe	109
PID 3396 wrote to memory of 1540	3396	svchost.exe	109
PID 3672 wrote to memory of 5092	3672	csrss.exe	110
PID 3672 wrote to memory of 5092	3672	csrss.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer‌.exe
"C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer‌.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
30KB

MD5
0998890ccf8a3d8702db7a84fe6dd7b3

SHA1
18e561e0ef68fb08d8f391eacd45c7d573206b92

SHA256
c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220

SHA512
8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe

Filesize
1.2MB

MD5
ca294b2f778abc14fef6313b3cea7155

SHA1
a7b9f93865aef9d9be61851d94c58d2763770e1a

SHA256
e660925a7cbb5b271d569b50285c862e20b5a15c8596b7442ec2a4c29bfcfd4e

SHA512
f1b9067598ec12a313ea54b97e5039c530b55e14207f1030babb296ef49bcdc2dfcb68ef97759fb15af057993ecb23e6f7c97beacf7e3b7711c19ee63a8d37f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0smlwouc.dsw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
67KB

MD5
50dce71a753bad01a07904f2af283123

SHA1
1beab766071ddeff0c8e577c6717debcee0d21e6

SHA256
8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3

SHA512
7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

Download Submit
memory/3396-41-0x0000000000110000-0x0000000000128000-memory.dmp

Filesize
96KB

Download
memory/3672-43-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/3672-44-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

Filesize
56KB

Download
memory/3672-139-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4216-35-0x000001E7E3860000-0x000001E7E39A0000-memory.dmp

Filesize
1.2MB

Download
memory/4216-24-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4216-138-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4216-141-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4280-48-0x000001A931960000-0x000001A931982000-memory.dmp

Filesize
136KB

Download
memory/4996-0-0x00007FFAF1893000-0x00007FFAF1895000-memory.dmp

Filesize
8KB

Download
memory/4996-45-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4996-4-0x00007FFAF1890000-0x00007FFAF2351000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x0000000000860000-0x00000000008EA000-memory.dmp

Filesize
552KB

Download