xworm | c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d

General

Target

fg.exe
Size

321KB
MD5

724cc4de405ed3db8a91c383cfc89f84
SHA1

45ca40cf798b7b2ea7216dba582d09dc83cd1bf5
SHA256

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d
SHA512

2d3a4b342de5760091e6d6b77d5cdc8abad81ea9dea44bbeb37626f399c11d1405fd6eb8e2156330a684e2a3d28f6dd4ff93660816515896dc82f7a1f7d0d338
SSDEEP

6144:PzU2+BjwsX7+LtOKcvGj94+Y2MlP2yOjxK70NTDx9agjjkRE2aMoiFSV:PzU2+FwsX7+LtOKcvGj94+Y2MlP2yOj7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e724-14.dat	family_xworm
behavioral2/memory/4888-15-0x0000000004DC0000-0x0000000004DD0000-memory.dmp	family_xworm
behavioral2/memory/1692-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 1692	4888	fg.exe	98

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4688	4888	fg.exe	94
PID 4888 wrote to memory of 4688	4888	fg.exe	94
PID 4888 wrote to memory of 4688	4888	fg.exe	94
PID 4688 wrote to memory of 1644	4688	csc.exe	96
PID 4688 wrote to memory of 1644	4688	csc.exe	96
PID 4688 wrote to memory of 1644	4688	csc.exe	96
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98
PID 4888 wrote to memory of 1692	4888	fg.exe	98

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vehwbc0l\vehwbc0l.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES804C.tmp" "c:\Users\Admin\AppData\Local\Temp\vehwbc0l\CSC77905E066E0475CB7EFF2BECB5B4C79.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES804C.tmp

Filesize
1KB

MD5
dbc6f193c12cafb8d6e5f51385ccedd2

SHA1
202626fa037a9af3d738912710dd19ae742b444f

SHA256
d77e9dc16614ffee1070e3e832f66a2d9dda147c5040fdea4217809a34c66c1a

SHA512
8ef19a8d8512e7839c89203f9fdcca774915a632dd9dae14c21eeae501daf1745b9c8e83d5eb14c2b987616a3e09b79aa3c9b93e00b200db967929fe134c0558

Download Submit
C:\Users\Admin\AppData\Local\Temp\vehwbc0l\vehwbc0l.dll

Filesize
42KB

MD5
fb6bdd28cb40a7b3cd959c3ac066b67b

SHA1
3758b51a9e0d9d1df6a601076043042126ec7635

SHA256
285a2f9a6093bb2492e72d56dcab6ab4e9d9b0a7c8c8a94ff49c47d0751f439a

SHA512
31312df3084585a2278298c758304f4dd4bf5d279057f428cb6a6626ec4dd768d470f31a775a20f31a0539414dbca7c404ba0f9127afce12a0d343e0208501d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vehwbc0l\CSC77905E066E0475CB7EFF2BECB5B4C79.TMP

Filesize
652B

MD5
4bca6f8bc5b63e228fad4bc1d58c1237

SHA1
09ced267ff3164dd82b1a2f6ffbea9b1560ece16

SHA256
91c3e07b32b7cc39a0c7d98bcd511386ddb4064331f5e0558094a3a1a3393215

SHA512
b1498a28a338c699d351fecf71d22d8726d8c2b90adbf757cbc50e4eab789d683235ed75a57532105e15da6d6e8ac4393d6ffa345eaaa942c35d4d1f49c9edd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vehwbc0l\vehwbc0l.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vehwbc0l\vehwbc0l.cmdline

Filesize
204B

MD5
fa206b8a84a8e5db4b1a0116798f5c93

SHA1
2bd112d1f16aaab911bdb54cc542cbd6aca3593b

SHA256
6c9a430ec22dbc99946cf2041a970f33023b85ac82c24c23af24602203e56a7d

SHA512
a4862f4a4e4fcc87328c4a021e1ec012366d6a423f38c045d5f7609b4060b6436139000d16c8d1fbcd4f595a763b3adc537b2a9be89c0c19e910c48cd28e94a6

Download Submit
memory/1692-21-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/1692-24-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-27-0x0000000006B70000-0x0000000007114000-memory.dmp

Filesize
5.6MB

Download
memory/1692-26-0x0000000006520000-0x00000000065B2000-memory.dmp

Filesize
584KB

Download
memory/1692-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1692-25-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-20-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-23-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/1692-22-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4888-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/4888-5-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4888-19-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4888-15-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4888-1-0x0000000000480000-0x00000000004D6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing