xworm | ff853e1b05a5ce860ea3cc1f6beac04ac7721ca15f30795957fb35333623c76f

Analysis

max time kernel
117s
max time network
23s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftEdge.exe
Size

3.3MB
MD5

a06a19515b00d599ecbf2c6d7a2a185a
SHA1

79c2ebaa97f6a46f6b10929d6c268541a9580aff
SHA256

ff853e1b05a5ce860ea3cc1f6beac04ac7721ca15f30795957fb35333623c76f
SHA512

f1fdba22e8f065e57fcfd468fe1e8afb40bf7e279919084ac32e1f085ef9b3d033e1462fa4295430bee063e9f0d7510899766f23abe3b4cb9121706bd4c9c2c4
SSDEEP

98304:xx6lXt2M6z/UsjaVs9jZ0WgH8zcinUP2yWkIy8vE:xx6dn6znXjCW1AiUeoaM

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
Microsoft Edge.exe
pastebin_url
https://pastebin.com/raw/zYgpCQBC
telegram
https://api.telegram.org/bot7322335748:AAEr-qkbNoi4AH-VkGzWTsoAJ0Jx3HkKwbk/sendMessage?chat_id=7763830849

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000900000001227e-5.dat	family_xworm
behavioral1/memory/2772-7-0x0000000000920000-0x0000000000956000-memory.dmp	family_xworm
behavioral1/files/0x0009000000016cd8-18.dat	family_xworm
behavioral1/memory/2160-20-0x0000000000800000-0x0000000000818000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

pid	Process
2772	SvMicrosoft Edge.exe
2556	XMouseButtonControlSetup.2.20.5.exe
2160	1.exe
2808	XMouseButtonControlSetup.2.20.5.exe

Loads dropped DLL 4 IoCs

pid	Process
2808	XMouseButtonControlSetup.2.20.5.exe
2808	XMouseButtonControlSetup.2.20.5.exe
2808	XMouseButtonControlSetup.2.20.5.exe
2808	XMouseButtonControlSetup.2.20.5.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMouseButtonControlSetup.2.20.5.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016d1c-25.dat	nsis_installer_1
behavioral1/files/0x0007000000016d1c-25.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	XMouseButtonControlSetup.2.20.5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	SvMicrosoft Edge.exe
Token: SeDebugPrivilege	2160	1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2772	1176	MicrosoftEdge.exe	29
PID 1176 wrote to memory of 2772	1176	MicrosoftEdge.exe	29
PID 1176 wrote to memory of 2772	1176	MicrosoftEdge.exe	29
PID 1176 wrote to memory of 2556	1176	MicrosoftEdge.exe	30
PID 1176 wrote to memory of 2556	1176	MicrosoftEdge.exe	30
PID 1176 wrote to memory of 2556	1176	MicrosoftEdge.exe	30
PID 2556 wrote to memory of 2160	2556	XMouseButtonControlSetup.2.20.5.exe	31
PID 2556 wrote to memory of 2160	2556	XMouseButtonControlSetup.2.20.5.exe	31
PID 2556 wrote to memory of 2160	2556	XMouseButtonControlSetup.2.20.5.exe	31
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32
PID 2556 wrote to memory of 2808	2556	XMouseButtonControlSetup.2.20.5.exe	32

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdge.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe
  "C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe
  "C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe
    "C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
72KB

MD5
86ca1f0b4ffa5c117debfd36930bd8ed

SHA1
b60034026605cbb7bfa0d959a2490d5ee8afc07e

SHA256
0269d49364112f21d4013cf1313b89d85f721497ebb00a74f94f70accefcf466

SHA512
a59c702fe1dac077cb123287f1b8cfb20e14d49ed589ede8350c1643d2cb65d72df2a68c6e4d7bd5b8606a299018521c2c66b3f534280d7de7420cc58b1dca9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe

Filesize
2.9MB

MD5
2e9725bc1d71ad1b8006dfc5a2510f88

SHA1
6e1f7d12881696944bf5e030a7d131b969de0c6c

SHA256
2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

SHA512
62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj314F.tmp\ioSpecial.ini

Filesize
418B

MD5
01cabcfa181f8a4ebb76a5534837bed2

SHA1
44fce3c7a7c8ca803c70a91ec828fd4581b4985e

SHA256
a6895673619d2cb9d702bbe45df24a601c39fdff6c081da4a6bb2e2bdfa90ef7

SHA512
c3667ca32c1ce53230a90488334472d745b8b78154cd861ba5edb2d636f1ba36f0f402597ae0b0e4d30152b6521d770dfd362e190f2628199da8079a0ac101a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj314F.tmp\ioSpecial.ini

Filesize
726B

MD5
fc2e7e9a5f42b094ed2f79985700c80d

SHA1
958eb13269e9cde12bdc7b210121743261a00b4c

SHA256
6c3602b0b43a775c0f3c98a88f7f33a2783b99b8af696ab09cf59b9892fbc262

SHA512
0337a15e419e558f9f196b354b76fb85ae8c67ef0e3eccb434db1320a254a304e1d6ac5981d0e6361794cc9d39b77050e5b02b6b330e794e6ebd7a0e13e055da

Download Submit
C:\Users\Admin\AppData\Roaming\SvMicrosoft Edge.exe

Filesize
196KB

MD5
3704b4108c5fc22934f53039170e80b1

SHA1
3e7c89c12ce94732bd98faf4f213519679c5a258

SHA256
58e1887c60d92b26ff6949984a37a5afcd79d72a2ca67091725b84c6a361298a

SHA512
a34d62a8c1c2a06a3826f5e9c9d685fd104887a4dd5c8daf47372d8c95fb8c89d02682b63eb0c8883df56303b3a135d11ebd4601f5b9198587fb602cba27f63d

Download Submit
C:\Users\Admin\AppData\Roaming\XMouseButtonControlSetup.2.20.5.exe

Filesize
3.0MB

MD5
ed193fb6b7c818e0cb4f23b28063afa4

SHA1
2dd264437554fb82fb2da776bab1b213795a4480

SHA256
0c5c102b1ac5d2a8be80d3fbceaab8392e544c9be9622443fbd4c5f710e3e005

SHA512
bc35b1805336406c2ebe5365bf5af83223f6412f3cc98cf20b38cfc5a7b34f5c685fc33a39dc8e9780c9f6d7db58a8b345b975be8c1ee35dec6ff1d4edc4242f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj314F.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj314F.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj314F.tmp\nsDialogs.dll

Filesize
9KB

MD5
f832e4279c8ff9029b94027803e10e1b

SHA1
134ff09f9c70999da35e73f57b70522dc817e681

SHA256
4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

SHA512
bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

Download Submit
memory/1176-1-0x0000000001250000-0x000000000159E000-memory.dmp

Filesize
3.3MB

Download
memory/1176-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2160-20-0x0000000000800000-0x0000000000818000-memory.dmp

Filesize
96KB

Download
memory/2556-13-0x00000000010D0000-0x00000000013CA000-memory.dmp

Filesize
3.0MB

Download
memory/2772-7-0x0000000000920000-0x0000000000956000-memory.dmp

Filesize
216KB

Download
memory/2772-14-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-112-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-115-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download