xworm | 757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186

General

Target

fg.exe
Size

394KB
MD5

ff7bdcc4260a35315c5a59f44fc78126
SHA1

8ca1960bdc5cb8f72fa2735bebc49f47676773c8
SHA256

757af13b416594d65a4c99362a537f13dde2a93b61ec8ba0b939c548b8973186
SHA512

27270cb2803fe88acb58976b8ae8daab249a1110cc8bf574c014d1f49fb1d16b9798fd48341662e2fde88a86e1230a1a8ca6da6b04c5ad51add765739d827db7
SSDEEP

3072:c9apijplAUVMpC5ZgEQLmefWXMRVVmLgP:FijplhMiZgEQaefeyV

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e726-14.dat	family_xworm
behavioral2/memory/436-15-0x0000000004E80000-0x0000000004E90000-memory.dmp	family_xworm
behavioral2/memory/976-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 976	436	fg.exe	93

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2116	436	fg.exe	89
PID 436 wrote to memory of 2116	436	fg.exe	89
PID 436 wrote to memory of 2116	436	fg.exe	89
PID 2116 wrote to memory of 1472	2116	csc.exe	92
PID 2116 wrote to memory of 1472	2116	csc.exe	92
PID 2116 wrote to memory of 1472	2116	csc.exe	92
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93
PID 436 wrote to memory of 976	436	fg.exe	93

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrdwu2lx\hrdwu2lx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EC0.tmp" "c:\Users\Admin\AppData\Local\Temp\hrdwu2lx\CSC1B655F94BABD443CA4A345B515418E8A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9EC0.tmp

Filesize
1KB

MD5
82adb7b6873990b8e59b374eb5e946e0

SHA1
da685addd5acf8366f7a315fe983fe17bb775542

SHA256
66ed5f8c71f2ec1003ac899f618807da5986beb5c8cb884ba85409b90a28c093

SHA512
aeedf982cbb2821e06b9cb79d0eecc48f133fe247f628334eea5b69d0c42ff4ba805f2789e4a7c393ddc33642e1e70fa1ed80941466366ef4250440576c46a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrdwu2lx\hrdwu2lx.dll

Filesize
42KB

MD5
6bedebd51c7df8c932f414e59a0468e9

SHA1
f52959b797c18aa9bfbbc6422006ea92b33e5c5e

SHA256
8e2c6d5d155c210dd15d8e718804b0429f8f964e91cd23acb44a118c7876202e

SHA512
767188390d7c119abb19c1dcc767f6331da0e861156f0ba0a21e57b914b8f4b26d0bb84e041dc11c683407c31fa0afad10707e8f2e51d6e5f4af9f594b4b7887

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hrdwu2lx\CSC1B655F94BABD443CA4A345B515418E8A.TMP

Filesize
652B

MD5
9941c80d5a68211a08179b8b66aeed37

SHA1
59e090f9ef29e8801567b5e9308101238674b282

SHA256
98f0b0b72a1ce8c0ba9858a07b8781253dd803a8e4a84c8f4f79c4ee5c281023

SHA512
900c09dd8c1748ce43190849c81685c26ffe8f2d75239d40baec84150508da08c69238376438ed5a5c451e90e0b9e7ddfc6786ef1e71c313823da9e0b05988c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hrdwu2lx\hrdwu2lx.0.cs

Filesize
103KB

MD5
410888111f8a84cb88bea4b9876f8150

SHA1
2be368fa85db49d40df8a9346aacfec9c2188cd8

SHA256
edfdbfd4002ea7d3bf87660ad84259b343f2927e9ae31dd36a48dae2547c0adf

SHA512
c33cc37ca495245f0dcc37b0d4e7852d3c9b28fdc240a9bdd634e5b3dce05835d9c306987eae0a65712d29550ca8aeeb1d8708731b73b8551c02d97f4ae6fa06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hrdwu2lx\hrdwu2lx.cmdline

Filesize
204B

MD5
1e08e5b949c07db37256b5cb5f33f132

SHA1
4d3d452ba1aa9ad4b28d8894c82682a405234b43

SHA256
f95a540cf3aa7473939c13c7c68cf39dc17fee0badae98710fa3e16a21a4572e

SHA512
95e0b837a04c6928e5f3bcef937dcbdf9e1a0c8d688259d0e48f85734a914dccf338aee16a7c1407510939ec1a34aed867b42289394b8d8509e9a7ce4561f859

Download Submit
memory/436-15-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/436-20-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/436-1-0x0000000000530000-0x0000000000598000-memory.dmp

Filesize
416KB

Download
memory/436-0-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/436-5-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/976-21-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/976-19-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/976-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-22-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/976-23-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/976-24-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/976-25-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/976-26-0x00000000066C0000-0x0000000006752000-memory.dmp

Filesize
584KB

Download
memory/976-27-0x0000000006D10000-0x00000000072B4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing