xworm | ff853e1b05a5ce860ea3cc1f6beac04ac7721ca15f30795957fb35333623c76f

General

Target

Microsoft Edge.exe
Size

3.3MB
MD5

a06a19515b00d599ecbf2c6d7a2a185a
SHA1

79c2ebaa97f6a46f6b10929d6c268541a9580aff
SHA256

ff853e1b05a5ce860ea3cc1f6beac04ac7721ca15f30795957fb35333623c76f
SHA512

f1fdba22e8f065e57fcfd468fe1e8afb40bf7e279919084ac32e1f085ef9b3d033e1462fa4295430bee063e9f0d7510899766f23abe3b4cb9121706bd4c9c2c4
SSDEEP

98304:xx6lXt2M6z/UsjaVs9jZ0WgH8zcinUP2yWkIy8vE:xx6dn6znXjCW1AiUeoaM

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
Microsoft Edge.exe
pastebin_url
https://pastebin.com/raw/zYgpCQBC
telegram
https://api.telegram.org/bot7322335748:AAEr-qkbNoi4AH-VkGzWTsoAJ0Jx3HkKwbk/sendMessage?chat_id=7763830849

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001202c-5.dat	family_xworm
behavioral1/memory/2348-7-0x0000000000C50000-0x0000000000C86000-memory.dmp	family_xworm
behavioral1/files/0x0008000000016875-18.dat	family_xworm
behavioral1/memory/2744-20-0x0000000000D60000-0x0000000000D78000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
2348	SvMicrosoft Edge.exe
2724	XMouseButtonControlSetup.2.20.5.exe
2744	1.exe
2852	XMouseButtonControlSetup.2.20.5.exe

Loads dropped DLL 3 IoCs

pid	Process
2852	XMouseButtonControlSetup.2.20.5.exe
2852	XMouseButtonControlSetup.2.20.5.exe
2852	XMouseButtonControlSetup.2.20.5.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMouseButtonControlSetup.2.20.5.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016c66-24.dat	nsis_installer_1
behavioral1/files/0x0008000000016c66-24.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	XMouseButtonControlSetup.2.20.5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	SvMicrosoft Edge.exe
Token: SeDebugPrivilege	2744	1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 2348	692	Microsoft Edge.exe	30
PID 692 wrote to memory of 2348	692	Microsoft Edge.exe	30
PID 692 wrote to memory of 2348	692	Microsoft Edge.exe	30
PID 692 wrote to memory of 2724	692	Microsoft Edge.exe	31
PID 692 wrote to memory of 2724	692	Microsoft Edge.exe	31
PID 692 wrote to memory of 2724	692	Microsoft Edge.exe	31
PID 2724 wrote to memory of 2744	2724	XMouseButtonControlSetup.2.20.5.exe	33
PID 2724 wrote to memory of 2744	2724	XMouseButtonControlSetup.2.20.5.exe	33
PID 2724 wrote to memory of 2744	2724	XMouseButtonControlSetup.2.20.5.exe	33
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34
PID 2724 wrote to memory of 2852	2724	XMouseButtonControlSetup.2.20.5.exe	34

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe
  "C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe
  "C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe
    "C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
72KB

MD5
86ca1f0b4ffa5c117debfd36930bd8ed

SHA1
b60034026605cbb7bfa0d959a2490d5ee8afc07e

SHA256
0269d49364112f21d4013cf1313b89d85f721497ebb00a74f94f70accefcf466

SHA512
a59c702fe1dac077cb123287f1b8cfb20e14d49ed589ede8350c1643d2cb65d72df2a68c6e4d7bd5b8606a299018521c2c66b3f534280d7de7420cc58b1dca9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe

Filesize
2.9MB

MD5
2e9725bc1d71ad1b8006dfc5a2510f88

SHA1
6e1f7d12881696944bf5e030a7d131b969de0c6c

SHA256
2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

SHA512
62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC9B7.tmp\ioSpecial.ini

Filesize
726B

MD5
947d30371d17c46af1e5445a0507c27f

SHA1
a0fbcc259ab2fa39f793c452659768613439a939

SHA256
d55f817a9dc04273ec1ced6077804006cc54e0d516ceb4f62dfa01ae3ff33d74

SHA512
d7d5cb3e62ff71a1857aff7cb80ce741b13244f8a590afa967b8aed5e39d629a0691ab2221be8bc121295d4f484ee9957f98843a84ed32e3a957a65632ac8028

Download Submit
C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe

Filesize
196KB

MD5
3704b4108c5fc22934f53039170e80b1

SHA1
3e7c89c12ce94732bd98faf4f213519679c5a258

SHA256
58e1887c60d92b26ff6949984a37a5afcd79d72a2ca67091725b84c6a361298a

SHA512
a34d62a8c1c2a06a3826f5e9c9d685fd104887a4dd5c8daf47372d8c95fb8c89d02682b63eb0c8883df56303b3a135d11ebd4601f5b9198587fb602cba27f63d

Download Submit
C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe

Filesize
3.0MB

MD5
ed193fb6b7c818e0cb4f23b28063afa4

SHA1
2dd264437554fb82fb2da776bab1b213795a4480

SHA256
0c5c102b1ac5d2a8be80d3fbceaab8392e544c9be9622443fbd4c5f710e3e005

SHA512
bc35b1805336406c2ebe5365bf5af83223f6412f3cc98cf20b38cfc5a7b34f5c685fc33a39dc8e9780c9f6d7db58a8b345b975be8c1ee35dec6ff1d4edc4242f

Download Submit
\Users\Admin\AppData\Local\Temp\nstC9B7.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
\Users\Admin\AppData\Local\Temp\nstC9B7.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
memory/692-1-0x0000000000380000-0x00000000006CE000-memory.dmp

Filesize
3.3MB

Download
memory/692-0-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp

Filesize
4KB

Download
memory/2348-7-0x0000000000C50000-0x0000000000C86000-memory.dmp

Filesize
216KB

Download
memory/2348-14-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-112-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-113-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-13-0x0000000000FD0000-0x00000000012CA000-memory.dmp

Filesize
3.0MB

Download
memory/2744-20-0x0000000000D60000-0x0000000000D78000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing