xworm | 5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

General

Target

valorant_ESP_aimbot.exe
Size

968KB
MD5

5d43f5bb6521b71f084afe8f3eab201a
SHA1

e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914
SHA256

5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d
SHA512

5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a
SSDEEP

24576:ulBq4/QlK9/CqNzb5lgV6tZVPKilGRx1D:ulBj/V6QtGile

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666

Mutex

O3GT6cT0bZJp53nK

Attributes

Install_directory
%Temp%
install_file
winservice.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4784-2-0x000001EDA16B0000-0x000001EDA16DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	valorant_ESP_aimbot.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe

Executes dropped EXE 3 IoCs

pid	Process
1516	winservice.exe
1728	winservice.exe
904	winservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winservice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winservice.exe"	valorant_ESP_aimbot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4296	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4784	valorant_ESP_aimbot.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4784	valorant_ESP_aimbot.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	4784	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	1516	winservice.exe
Token: SeDebugPrivilege	1728	winservice.exe
Token: SeDebugPrivilege	904	winservice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4784	valorant_ESP_aimbot.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4296	4784	valorant_ESP_aimbot.exe	89
PID 4784 wrote to memory of 4296	4784	valorant_ESP_aimbot.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe
"C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winservice" /tr "C:\Users\Admin\AppData\Local\Temp\winservice.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4296

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winservice.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\winservice.exe

Filesize
968KB

MD5
5d43f5bb6521b71f084afe8f3eab201a

SHA1
e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

SHA256
5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

SHA512
5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

Download Submit
memory/4784-0-0x000001EDA14A0000-0x000001EDA14CC000-memory.dmp

Filesize
176KB

Download
memory/4784-1-0x00007FFC6EF73000-0x00007FFC6EF75000-memory.dmp

Filesize
8KB

Download
memory/4784-2-0x000001EDA16B0000-0x000001EDA16DA000-memory.dmp

Filesize
168KB

Download
memory/4784-3-0x00007FFC6EF70000-0x00007FFC6FA32000-memory.dmp

Filesize
10.8MB

Download
memory/4784-8-0x00007FFC6EF73000-0x00007FFC6EF75000-memory.dmp

Filesize
8KB

Download
memory/4784-9-0x00007FFC6EF70000-0x00007FFC6FA32000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads