xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000017409-14.dat	family_xworm
behavioral1/memory/2412-15-0x00000000004D0000-0x00000000004E0000-memory.dmp	family_xworm
behavioral1/memory/1136-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1136-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1136-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1136-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1136-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2772	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	30
PID 2412 wrote to memory of 2772	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	30
PID 2412 wrote to memory of 2772	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	30
PID 2412 wrote to memory of 2772	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	30
PID 2772 wrote to memory of 2560	2772	csc.exe	32
PID 2772 wrote to memory of 2560	2772	csc.exe	32
PID 2772 wrote to memory of 2560	2772	csc.exe	32
PID 2772 wrote to memory of 2560	2772	csc.exe	32
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33
PID 2412 wrote to memory of 1136	2412	SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe	33

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12965.16390.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ms1wnbg0\ms1wnbg0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC78.tmp" "c:\Users\Admin\AppData\Local\Temp\ms1wnbg0\CSC51DFE0E487644F82B863AEBA1EA49F4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFC78.tmp

Filesize
1KB

MD5
bd98580e1ce3f2cd2bd963995eece28e

SHA1
bd62a8222a5d742fb837f1613b35cb3f65503150

SHA256
09723bff3ecc062ac93996fa4c02287fefdc16491f31b58298e095fbace40fed

SHA512
235c0e6f3a623b4d1265e0eb05c3348b9190219607a96ae1559b059b347a56ed0fea170caae99800387dec5150973923d702b7e5b69efe0fd729704b34900b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms1wnbg0\ms1wnbg0.dll

Filesize
41KB

MD5
6b29155af89e7015120e465c709ff4ae

SHA1
1257c15a57f75033f2b1cf6f1f2030102c2dc49e

SHA256
c76fc171ce39878229dd71a718fba352b9c139ad760c03b947fa027143d47705

SHA512
3b3cd796527416177d9daf3bc43d0a81a90f0728467a1d779bb77eea1d9aa852b61196bfcbdb79cb416a62ac66dd6f151a6547825f97f3d2f90db68afd1540d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ms1wnbg0\CSC51DFE0E487644F82B863AEBA1EA49F4.TMP

Filesize
652B

MD5
d42dd2515a048eb4cba136aebbc99069

SHA1
c6aee0200617d4238318fad095b03a3ba6fb868a

SHA256
ae6b6fa0413f0e923a3ac7f8c9c522fcc890efd5b2f1ba848ed406ab1ec70701

SHA512
18e0de17229483ad5eda466fd4872ca2709bb207e305c8b29bb08688ff4e365334d9af3860cfc9bd6c0790f8d395e87830c1e3914654c131a295f092e422a49d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ms1wnbg0\ms1wnbg0.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ms1wnbg0\ms1wnbg0.cmdline

Filesize
204B

MD5
019c378c7a821c8730463d39ab08cd7e

SHA1
64062a271a9d09c4c7721c35bade675bbbda1a78

SHA256
b3ed5819ff5afd517d9384f4c7597697c1d9d44be4dd7fae1719062de23a2e35

SHA512
2ec2f7a4840a6cc5f7ff38daa867fb13946c3805d815c4b33d110c7d4c8bb05f97be52f7e595176e1a188460f25df3efab27c52e4f925e8df6d2b80ae6d08ff8

Download Submit
memory/1136-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-29-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-32-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-31-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-30-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1136-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1136-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-28-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-6-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2412-1-0x0000000000970000-0x00000000009C4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing