xworm | 757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186

General

Target

fg.exe
Size

394KB
MD5

ff7bdcc4260a35315c5a59f44fc78126
SHA1

8ca1960bdc5cb8f72fa2735bebc49f47676773c8
SHA256

757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186
SHA512

27270cb2803fe88acb58976b8ae8daab249a1110cc8bf574c014d1f49fb1d16b9798fd48341662e2fde88a86e1230a1a8ca6da6b04c5ad51add765739d827db7
SSDEEP

3072:c9apijplAUVMpC5ZgEQLmefWXMRVVmLgP:FijplhMiZgEQaefeyV

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d8c-14.dat	family_xworm
behavioral1/memory/2988-15-0x00000000003D0000-0x00000000003E0000-memory.dmp	family_xworm
behavioral1/memory/2372-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2372-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2372-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2372-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2372-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2372	2988	fg.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2400	2988	fg.exe	31
PID 2988 wrote to memory of 2400	2988	fg.exe	31
PID 2988 wrote to memory of 2400	2988	fg.exe	31
PID 2988 wrote to memory of 2400	2988	fg.exe	31
PID 2400 wrote to memory of 2972	2400	csc.exe	33
PID 2400 wrote to memory of 2972	2400	csc.exe	33
PID 2400 wrote to memory of 2972	2400	csc.exe	33
PID 2400 wrote to memory of 2972	2400	csc.exe	33
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34
PID 2988 wrote to memory of 2372	2988	fg.exe	34

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmj3j33g\qmj3j33g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF38.tmp" "c:\Users\Admin\AppData\Local\Temp\qmj3j33g\CSCC56282162333468C9BB894D8F5EF623.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDF38.tmp

Filesize
1KB

MD5
39a55400d461a8b9c79994af51a2f99a

SHA1
e35359fc7b3fcf521c6a525182dd529cdfb17a02

SHA256
05ba77e3494e3118af5e1c688d77387fe7132d64591904dcb2dee966682f54f8

SHA512
4f72241652a1a75602c2ed9895dcdf7e9ecb5f039ba70156c48f8fc198e91b1230714a656ff3b44ddec995ffb4e72805718933915d36f550dd411175d822556c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmj3j33g\qmj3j33g.dll

Filesize
42KB

MD5
355d365d1d638b18673137483fed4610

SHA1
41313177bfc96f4f3826766b6d0b00e2f2272761

SHA256
69572d6622a5c3bf7e67074671edc543cb41f600f8d83b219728732dc5ffed16

SHA512
8f22e23ca484de5c7a6ce07b6aedb0c40427354d4333d68189ef8bf00dd5ae255e0b831c9cc7cb06b0b7d33a581ff8eeb65a044371e39f64686fa4e1bcba1d7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmj3j33g\CSCC56282162333468C9BB894D8F5EF623.TMP

Filesize
652B

MD5
7e11a6f2b961f7bb7193711257b08858

SHA1
01ada3f8e2de65c7001f8dcfaf29eb952175ef3e

SHA256
de4ac770bad8070afa3b1cf002e9ff4be87baaf4f702af062a32ce4453b987ad

SHA512
7b54e167de5b63778181333645e4820075e218fe72e00e76da139e0b44ac202b98a3d1d35e106a7ee6ee114c7856537b5c4ca9bfaeb5cfc34b42fe8b866ab903

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmj3j33g\qmj3j33g.0.cs

Filesize
103KB

MD5
410888111f8a84cb88bea4b9876f8150

SHA1
2be368fa85db49d40df8a9346aacfec9c2188cd8

SHA256
edfdbfd4002ea7d3bf87660ad84259b343f2927e9ae31dd36a48dae2547c0adf

SHA512
c33cc37ca495245f0dcc37b0d4e7852d3c9b28fdc240a9bdd634e5b3dce05835d9c306987eae0a65712d29550ca8aeeb1d8708731b73b8551c02d97f4ae6fa06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmj3j33g\qmj3j33g.cmdline

Filesize
204B

MD5
8f17a7161faa7d600045796faee2b99e

SHA1
4cdfe7028fbeb5a9d85df8c3778d816939594972

SHA256
740021784ae53f4d2ce574ff93575a49d20063e014a6ac0bc42bf5cf7aa2bc98

SHA512
058c2a4656a4fda24cb1d716e9b283c66bb52227c7b55f399ccd1c22ca0222d0dfc7cef5f76b8c9157c3b33bda98d622ffe7147fbf09e2f57aa9685f5ce4e0ea

Download Submit
memory/2372-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-29-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-32-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-31-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-30-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2372-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2988-28-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-4-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2988-15-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2988-1-0x0000000000EF0000-0x0000000000F58000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing