xworm | 757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186

General

Target

fg.exe
Size

394KB
MD5

ff7bdcc4260a35315c5a59f44fc78126
SHA1

8ca1960bdc5cb8f72fa2735bebc49f47676773c8
SHA256

757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186
SHA512

27270cb2803fe88acb58976b8ae8daab249a1110cc8bf574c014d1f49fb1d16b9798fd48341662e2fde88a86e1230a1a8ca6da6b04c5ad51add765739d827db7
SSDEEP

3072:c9apijplAUVMpC5ZgEQLmefWXMRVVmLgP:FijplhMiZgEQaefeyV

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b08-14.dat	family_xworm
behavioral2/memory/2772-15-0x0000000002EA0000-0x0000000002EB0000-memory.dmp	family_xworm
behavioral2/memory/6044-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 6044	2772	fg.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6044	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3736	2772	fg.exe	89
PID 2772 wrote to memory of 3736	2772	fg.exe	89
PID 2772 wrote to memory of 3736	2772	fg.exe	89
PID 3736 wrote to memory of 3608	3736	csc.exe	93
PID 3736 wrote to memory of 3608	3736	csc.exe	93
PID 3736 wrote to memory of 3608	3736	csc.exe	93
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94
PID 2772 wrote to memory of 6044	2772	fg.exe	94

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mzo51bi\4mzo51bi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF68.tmp" "c:\Users\Admin\AppData\Local\Temp\4mzo51bi\CSC1DBF0542556D48F4955C1AF64C662535.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4mzo51bi\4mzo51bi.dll

Filesize
42KB

MD5
6d919ee07e6a450c70a9d1aa03543160

SHA1
351da7e44da4f20432946bf71f87941c37550f68

SHA256
6da45eb2ada89e803d80afc3e1a1d5e2b3c196f49ceb82eed82bd088fbd711b1

SHA512
23057681061b260122a466c4bf8be8cca6d9536deaf86a1d32eeebf755ce546f577143369a4dcaa23da0d29426c5cd53189e5a3a20743f6967a27c5b01830333

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF68.tmp

Filesize
1KB

MD5
f59f6a4da35c7556accf80b11d67861d

SHA1
bc616a917af62b4638e6974f285b00b3540ce647

SHA256
9640d282c889432969813a06c72dfd9d741e624e9830af00f38aa008d8f840a2

SHA512
bcf20cef290b433149dcb205c41a099118488af5d58c9789591a56549c5ef6c4efed08ce256100a3f0e142ed8f700cfb7050c2542bfb41994c5b17007d6bd0bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4mzo51bi\4mzo51bi.0.cs

Filesize
103KB

MD5
410888111f8a84cb88bea4b9876f8150

SHA1
2be368fa85db49d40df8a9346aacfec9c2188cd8

SHA256
edfdbfd4002ea7d3bf87660ad84259b343f2927e9ae31dd36a48dae2547c0adf

SHA512
c33cc37ca495245f0dcc37b0d4e7852d3c9b28fdc240a9bdd634e5b3dce05835d9c306987eae0a65712d29550ca8aeeb1d8708731b73b8551c02d97f4ae6fa06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4mzo51bi\4mzo51bi.cmdline

Filesize
204B

MD5
95b2b894943bcf916cd878ad6d4735eb

SHA1
8ea23f17f38c83f197e0927651a5042e8685a6fc

SHA256
4d5c7069fab6c340b2d332a8163df20f31a16c534749718ef8a06787b213c76c

SHA512
5ab0ac3909e581d6fb292b2600319dfbc5c5e50c43ddcb814a7cd75da3d22f240af15ad8f5a12b97bfb79ab21eaf9237d72fbf7109e3b4fd8b89a03e25997e24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4mzo51bi\CSC1DBF0542556D48F4955C1AF64C662535.TMP

Filesize
652B

MD5
93a107753593ae01e8af8e38e810f72e

SHA1
0c98608a8258aa6267d99e9fa48c0906e50f0476

SHA256
27cbc8edb61148e37418875090b58add30f2ebc6eea0ef360660bc648fab0b3f

SHA512
f817fcf05f7c1ed2bc7ffba45ae7f352242051db02cc12d2c96101187da6e84b9ae705ce9d8126333823baa364abef3ac90909041ac70f283db0b84c3a72f490

Download Submit
memory/2772-15-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2772-21-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-1-0x0000000000B50000-0x0000000000BB8000-memory.dmp

Filesize
416KB

Download
memory/2772-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/2772-4-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/6044-20-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/6044-19-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/6044-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/6044-22-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/6044-23-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/6044-24-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/6044-25-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/6044-26-0x0000000006450000-0x00000000064E2000-memory.dmp

Filesize
584KB

Download
memory/6044-27-0x0000000006AA0000-0x0000000007044000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing