xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

rt.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e957-14.dat	family_xworm
behavioral2/memory/1768-15-0x0000000002D70000-0x0000000002D80000-memory.dmp	family_xworm
behavioral2/memory/2448-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 2448	1768	rt.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4964	1768	rt.exe	93
PID 1768 wrote to memory of 4964	1768	rt.exe	93
PID 1768 wrote to memory of 4964	1768	rt.exe	93
PID 4964 wrote to memory of 4252	4964	csc.exe	95
PID 4964 wrote to memory of 4252	4964	csc.exe	95
PID 4964 wrote to memory of 4252	4964	csc.exe	95
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96
PID 1768 wrote to memory of 2448	1768	rt.exe	96

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umjng4ve\umjng4ve.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF52D.tmp" "c:\Users\Admin\AppData\Local\Temp\umjng4ve\CSC48257AEF8A25475E85D53321D2E525C5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF52D.tmp

Filesize
1KB

MD5
e0805caa147345daf643046c9e5627b4

SHA1
364bcae546f3a691f5eda636eedc67f8e4917d1d

SHA256
fe879f3591a6175a832a1649c0cc37b2786f8723dd8bd03073c5dee5530e4c0e

SHA512
55967f81ac71cb499fa2e215c1f9e7625e8fe5f3fced507aa177c48f6068c8f31a3f6fd30b1f2c36bbbf21fc7c619a68d66e84580301d53df82c2fc3e95b6aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\umjng4ve\umjng4ve.dll

Filesize
41KB

MD5
ee3a603d3ffe8215fc16a0d8da41e4cf

SHA1
b0d96163488dd36f15c3686e6df4c7cc56556f5d

SHA256
9ef9dcb639c345fcac51add25b04fe4309948cdbc667483c187401891a79e3e8

SHA512
699fe491a139cc11d53aaeb868b4bc56c8aef6fbbb9cdf875fdbc0a64e1660ae305ffed97ff1ff2f508bb9529d3d27c4220d17ad1526983782f5ebf6be40d452

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umjng4ve\CSC48257AEF8A25475E85D53321D2E525C5.TMP

Filesize
652B

MD5
33d39dc7712bafb7c3e80962c5b760d1

SHA1
394588f08071b7245314056c7737cb42ad4bf0c1

SHA256
e61366c8e9d97c30ac1e6e9a802a99f837557885ece9e619ef3f66bbb452085a

SHA512
44bc9dae00d1b48788b4ef7ce890ab3b52aa394d066bc38c077633718c09d435357c54fb100d208b82ac417f2cb376b84109330dd001c832d66c732489a1ee9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umjng4ve\umjng4ve.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umjng4ve\umjng4ve.cmdline

Filesize
204B

MD5
e30cec975330755ffe4da454c9654f47

SHA1
50ce6b6b679210c612463cf7545904ad1de67e56

SHA256
e90ea7eb1638b8fc28eea1bd43e6ad50926170a2cd3c9d8928affdd28d53ae92

SHA512
86c18d07ec008987b09c0f8d204c050b41115cc4922874b90ccdbf516583edb13fb7791c214a489c28eb76b7a1486195f6be3f744a58d5898524067c78f7d62d

Download Submit
memory/1768-15-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/1768-19-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/1768-1-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/1768-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/1768-5-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2448-21-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download
memory/2448-20-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2448-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2448-22-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2448-23-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2448-24-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2448-25-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2448-26-0x0000000006810000-0x00000000068A2000-memory.dmp

Filesize
584KB

Download
memory/2448-27-0x0000000006E60000-0x0000000007404000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing