xworm | 17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71

General

Target

js.exe
Size

394KB
MD5

fc44a673893daac90d53e63d0f3cba69
SHA1

38476f091d4d53e32abf92cb961f8df5782734cb
SHA256

17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71
SHA512

a247d42527e4933e874710fa905a4e248fa3cdc799b863635ebcb6afabcad63b4c61c643a6bd3bc80c242d80b01459517de3bcf4548a77832d19b3a5ba054378
SSDEEP

12288:hQoqIEtLGnkEz0VgXVNX77gBjkgvSoitcOgvFwE0+fubk7IVcHMqXxTU9LiqVDRH:G

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019605-14.dat	family_xworm
behavioral1/memory/2308-15-0x00000000004C0000-0x00000000004D0000-memory.dmp	family_xworm
behavioral1/memory/2916-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2916-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2916-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2916-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2916-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2916	2308	js.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	js.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 484	2308	js.exe	30
PID 2308 wrote to memory of 484	2308	js.exe	30
PID 2308 wrote to memory of 484	2308	js.exe	30
PID 2308 wrote to memory of 484	2308	js.exe	30
PID 484 wrote to memory of 2192	484	csc.exe	32
PID 484 wrote to memory of 2192	484	csc.exe	32
PID 484 wrote to memory of 2192	484	csc.exe	32
PID 484 wrote to memory of 2192	484	csc.exe	32
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33
PID 2308 wrote to memory of 2916	2308	js.exe	33

C:\Users\Admin\AppData\Local\Temp\js.exe
"C:\Users\Admin\AppData\Local\Temp\js.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3egoxfw\e3egoxfw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1C0.tmp" "c:\Users\Admin\AppData\Local\Temp\e3egoxfw\CSCA76F7D65ACD54A10842815E3F43F5B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD1C0.tmp

Filesize
1KB

MD5
66b7ca146006c890370f1a0eecc6341f

SHA1
1b176f1e8fc528740c2fc6e44b02050e0a88b0bf

SHA256
7f98ded9581bc7fabc6b189589b498d2cd145650a98985d365dddfb4239acb27

SHA512
b45d568e3af70d5bdcfb8a4c6b555935edac09b048217fefba82e3f68de6a4aeda0e5e55e184c9ad9a0ff44935657d279197a35586fe5bfcab40506ee6e4fe02

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3egoxfw\e3egoxfw.dll

Filesize
42KB

MD5
84d1a1948f61e11c0187e56ba9721855

SHA1
ff8a6f77b3a2e711a7c7c8b86ca42c2f87a13daa

SHA256
3fed9e63d96efbaf45f68118f8ede4cf5dd9a8fc5e2b39101e2d46e9073a3a01

SHA512
8813848366955a947bd56a1195b0b8d48384e5c1f350e173e5aecf6554d00a52de96479b021eb3abe3549e8de88b63da7e75a4b2c99dd74312fd243dee4b9987

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3egoxfw\CSCA76F7D65ACD54A10842815E3F43F5B.TMP

Filesize
652B

MD5
85b71c3368f0f70ffc2097b78a5a1f3c

SHA1
075c0bf69e5174a09692405359874bb5eb42dcf5

SHA256
187f2266d6658b84f6329ad2e7e8b1fa212f136d7600072cad7bfbb4b07cea55

SHA512
90e11cd5a805997ce003170c115ec9bc5c777b42bc681e5ad14a3f85b2860865f81cfc9f81344cb713ff73d3634885604c49d9f10c9707b881270d52852d3e9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3egoxfw\e3egoxfw.0.cs

Filesize
103KB

MD5
a85c09b310c91fac493ca2fe00dd2014

SHA1
f00ece43ccdd820892c2c3b0b130baa06113ab61

SHA256
e1ae1da5e7e56c5b43354c7ed2484f5272eb73eedcc02185cc00329ee749bae1

SHA512
6547a8fe570bf00185c44ccb8009dfcdb154e63118c8a2ccb448ae3ce9dd19802a906f34aee0bb4a0e23e5869e67ea001f6d535d928ca42ead582dec0d6667ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3egoxfw\e3egoxfw.cmdline

Filesize
204B

MD5
a63f1916daa8002ed653a2e14ee3243f

SHA1
21592ed1ddac224638a45f4c3986099306153747

SHA256
b79083d8463da9d910e5c020cc87e8e18d59a6d6157f53ae9bf9830ba4a2ba27

SHA512
d650c0684ef5204f67dc8a9149c3536ae6511b2a7a9f6ee18c5c5492c818bb31763da1df0207919a0b567a12c27472c3cb7f1d8f5d3f3f7a998b35b9d5cedfb1

Download Submit
memory/2308-28-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-0-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000AA0000-0x0000000000B08000-memory.dmp

Filesize
416KB

Download
memory/2308-15-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2308-6-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-29-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-30-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-31-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-32-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing