xworm | c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d

General

Target

fg.exe
Size

321KB
MD5

724cc4de405ed3db8a91c383cfc89f84
SHA1

45ca40cf798b7b2ea7216dba582d09dc83cd1bf5
SHA256

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d
SHA512

2d3a4b342de5760091e6d6b77d5cdc8abad81ea9dea44bbeb37626f399c11d1405fd6eb8e2156330a684e2a3d28f6dd4ff93660816515896dc82f7a1f7d0d338
SSDEEP

6144:PzU2+BjwsX7+LtOKcvGj94+Y2MlP2yOjxK70NTDx9agjjkRE2aMoiFSV:PzU2+FwsX7+LtOKcvGj94+Y2MlP2yOj7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173b2-14.dat	family_xworm
behavioral1/memory/2484-15-0x00000000003C0000-0x00000000003D0000-memory.dmp	family_xworm
behavioral1/memory/2784-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2784-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2784-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2784-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2784-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2784	2484	fg.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1860	2484	fg.exe	30
PID 2484 wrote to memory of 1860	2484	fg.exe	30
PID 2484 wrote to memory of 1860	2484	fg.exe	30
PID 2484 wrote to memory of 1860	2484	fg.exe	30
PID 1860 wrote to memory of 2164	1860	csc.exe	32
PID 1860 wrote to memory of 2164	1860	csc.exe	32
PID 1860 wrote to memory of 2164	1860	csc.exe	32
PID 1860 wrote to memory of 2164	1860	csc.exe	32
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33
PID 2484 wrote to memory of 2784	2484	fg.exe	33

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ritbu2dh\ritbu2dh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA62E.tmp" "c:\Users\Admin\AppData\Local\Temp\ritbu2dh\CSCD9DE4F0FE74A4191A11AA2939851CD3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA62E.tmp

Filesize
1KB

MD5
8245c10d30fafbe358937c7fbff0e835

SHA1
da52ea02692689b120000867696ee6c988e8e74c

SHA256
91c4159f0fa55c37da892381b02b92bbbe23b80c44483217498a507df8ca913c

SHA512
7b34d6b17628f3db757c3fd1b62c0fc25316fefa339a8ad13501994446cad3b5928ce833223d96f25491c16ff13cc268ea1730e590063da405741bf96442e89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ritbu2dh\ritbu2dh.dll

Filesize
42KB

MD5
e7f44e539c203f457dceee707dc19cc7

SHA1
db7d9e3c565360959479c6b511b270f63b4a400f

SHA256
ef4d4f0f91ad9b62121509fe136f6ec6a5dbd49d1a4c4ae0a4fa290d474bb38e

SHA512
be4c6b289b7dc9845cfde051e8dfd55dde19fa8c42765b5094a2b71fe7b5c0141e0f7d058c6679ed0e0ffdd14c855a9ba8957ced76917dd559aa858187ed8a6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ritbu2dh\CSCD9DE4F0FE74A4191A11AA2939851CD3.TMP

Filesize
652B

MD5
b602e429a0e141632b700e543dc8c4f9

SHA1
0cfa784f0b25c4eed88fbf05655be67d5b33a75f

SHA256
ef52d66d64cd8a03e61a472fae2a40db3544a47ea115b850f6e3b46aa7283ef1

SHA512
ab223bf636c5ed625f90320570832c382f7217edc474c53bd0f685beee6380298718118850a3754cc810dc4438d6fe34895794f2850bf10db8d17866aeffc225

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ritbu2dh\ritbu2dh.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ritbu2dh\ritbu2dh.cmdline

Filesize
204B

MD5
dee782c2b6ab3e48becb5200374b5815

SHA1
23f0868e9b1bb67f56cb05f1271d8e264e372f57

SHA256
3962561becfbe6e7d5e49dc1c3119bbc9613b7a3cfce8fd7b90e50d55ee60e21

SHA512
0cffa9c5cfed5cec5019f409073b7cc28225e809cc809a91e83cce0b0619bbeb11cb3f3ca53fbb096713357b4d0124d9fd39db52efa5925a8245e1dfe9d75376

Download Submit
memory/2484-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2484-1-0x0000000001360000-0x00000000013B6000-memory.dmp

Filesize
344KB

Download
memory/2484-5-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-15-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2484-29-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-28-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-30-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-31-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-32-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing