xworm | 5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

General

Target

valorant_ESP_aimbot.exe
Size

968KB
MD5

5d43f5bb6521b71f084afe8f3eab201a
SHA1

e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914
SHA256

5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d
SHA512

5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a
SSDEEP

24576:ulBq4/QlK9/CqNzb5lgV6tZVPKilGRx1D:ulBj/V6QtGile

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666

Mutex

O3GT6cT0bZJp53nK

Attributes

Install_directory
%Temp%
install_file
winservice.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5808-2-0x0000021E9A030000-0x0000021E9A05A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	winservice.exe
5152	winservice.exe
4896	winservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\winservice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winservice.exe"	valorant_ESP_aimbot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4056	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5808	valorant_ESP_aimbot.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5808	valorant_ESP_aimbot.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5808	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	5808	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	3028	winservice.exe
Token: SeDebugPrivilege	5152	winservice.exe
Token: SeDebugPrivilege	4896	winservice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5808	valorant_ESP_aimbot.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 4056	5808	valorant_ESP_aimbot.exe	83
PID 5808 wrote to memory of 4056	5808	valorant_ESP_aimbot.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe
"C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winservice" /tr "C:\Users\Admin\AppData\Local\Temp\winservice.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4056

C:\Users\Admin\AppData\Local\Temp\winservice.exe
C:\Users\Admin\AppData\Local\Temp\winservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Users\Admin\AppData\Local\Temp\winservice.exe
C:\Users\Admin\AppData\Local\Temp\winservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Users\Admin\AppData\Local\Temp\winservice.exe
C:\Users\Admin\AppData\Local\Temp\winservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winservice.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\winservice.exe

Filesize
968KB

MD5
5d43f5bb6521b71f084afe8f3eab201a

SHA1
e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

SHA256
5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

SHA512
5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

Download Submit
memory/5808-0-0x0000021E99EE0000-0x0000021E99F0C000-memory.dmp

Filesize
176KB

Download
memory/5808-1-0x00007FFDA4923000-0x00007FFDA4925000-memory.dmp

Filesize
8KB

Download
memory/5808-2-0x0000021E9A030000-0x0000021E9A05A000-memory.dmp

Filesize
168KB

Download
memory/5808-3-0x00007FFDA4920000-0x00007FFDA53E2000-memory.dmp

Filesize
10.8MB

Download
memory/5808-9-0x00007FFDA4923000-0x00007FFDA4925000-memory.dmp

Filesize
8KB

Download
memory/5808-11-0x00007FFDA4920000-0x00007FFDA53E2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads