xworm | e6a07c0c643535a9b65fb286f4fafce14fafef0b830557e2d67f91f06ae2bbbc

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat.exe
Size

197KB
MD5

6b60d478dc59ba2d30610d57d36a929b
SHA1

0b9240afd4338b4ec6608ea1a2ad4624fe02b1d8
SHA256

e6a07c0c643535a9b65fb286f4fafce14fafef0b830557e2d67f91f06ae2bbbc
SHA512

15967a5595bd8a2d413628a4d4d35f5bf60c3b4529c0d17216d43620918c386de1893e621985e8b04a508353e675f23b857c7fea11fe12aa247f0812626c2d4e
SSDEEP

3072:od9kkHFE9jM/Oju8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLns:oFE9wUhcX7elbKTuq9bfF/H9d9n

Score

10^/10

xworm defense_evasion rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

ohsorry-20836.portmap.host:20836

Mutex

BV3jFFIYrb13VXbT

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2432-6-0x0000000002C70000-0x0000000002C7E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2432-1-0x0000000000BB0000-0x0000000000BE6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Disables Task Manager via registry modification
defense_evasion
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	cheat.exe

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\50bee61c-442c-406a-9a00-e025c55e97f2.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/2432-0-0x00007FF8C4953000-0x00007FF8C4955000-memory.dmp

Filesize
8KB

Download
memory/2432-1-0x0000000000BB0000-0x0000000000BE6000-memory.dmp

Filesize
216KB

Download
memory/2432-2-0x00007FF8C4950000-0x00007FF8C5412000-memory.dmp

Filesize
10.8MB

Download
memory/2432-3-0x00007FF8C4950000-0x00007FF8C5412000-memory.dmp

Filesize
10.8MB

Download
memory/2432-4-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/2432-5-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/2432-6-0x0000000002C70000-0x0000000002C7E000-memory.dmp

Filesize
56KB

Download