xworm | 5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

General

Target

valorant_ESP_aimbot.exe
Size

968KB
MD5

5d43f5bb6521b71f084afe8f3eab201a
SHA1

e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914
SHA256

5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d
SHA512

5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a
SSDEEP

24576:ulBq4/QlK9/CqNzb5lgV6tZVPKilGRx1D:ulBj/V6QtGile

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666

Mutex

O3GT6cT0bZJp53nK

Attributes

Install_directory
%Temp%
install_file
winservice.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2080-2-0x000001FE46350000-0x000001FE4637A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	valorant_ESP_aimbot.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winservice.lnk	valorant_ESP_aimbot.exe

Executes dropped EXE 2 IoCs

pid	Process
4408	winservice.exe
2900	winservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winservice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winservice.exe"	valorant_ESP_aimbot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
456	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	valorant_ESP_aimbot.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	valorant_ESP_aimbot.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	2080	valorant_ESP_aimbot.exe
Token: SeDebugPrivilege	4408	winservice.exe
Token: SeDebugPrivilege	2900	winservice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2080	valorant_ESP_aimbot.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 456	2080	valorant_ESP_aimbot.exe	94
PID 2080 wrote to memory of 456	2080	valorant_ESP_aimbot.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe
"C:\Users\Admin\AppData\Local\Temp\valorant_ESP_aimbot.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winservice" /tr "C:\Users\Admin\AppData\Local\Temp\winservice.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:456

C:\Users\Admin\AppData\Local\Temp\winservice.exe
C:\Users\Admin\AppData\Local\Temp\winservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\winservice.exe
C:\Users\Admin\AppData\Local\Temp\winservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winservice.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winservice.exe

Filesize
968KB

MD5
5d43f5bb6521b71f084afe8f3eab201a

SHA1
e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

SHA256
5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

SHA512
5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

Download Submit
memory/2080-0-0x000001FE46100000-0x000001FE4612C000-memory.dmp

Filesize
176KB

Download
memory/2080-1-0x00007FFFC86D3000-0x00007FFFC86D5000-memory.dmp

Filesize
8KB

Download
memory/2080-2-0x000001FE46350000-0x000001FE4637A000-memory.dmp

Filesize
168KB

Download
memory/2080-3-0x00007FFFC86D0000-0x00007FFFC9191000-memory.dmp

Filesize
10.8MB

Download
memory/2080-8-0x00007FFFC86D3000-0x00007FFFC86D5000-memory.dmp

Filesize
8KB

Download
memory/2080-9-0x00007FFFC86D0000-0x00007FFFC9191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads