xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

rt.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d7e-14.dat	family_xworm
behavioral1/memory/2632-15-0x0000000000210000-0x0000000000220000-memory.dmp	family_xworm
behavioral1/memory/2684-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2684-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2684-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2684-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2684-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2684	2632	rt.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2880	2632	rt.exe	30
PID 2632 wrote to memory of 2880	2632	rt.exe	30
PID 2632 wrote to memory of 2880	2632	rt.exe	30
PID 2632 wrote to memory of 2880	2632	rt.exe	30
PID 2880 wrote to memory of 2780	2880	csc.exe	32
PID 2880 wrote to memory of 2780	2880	csc.exe	32
PID 2880 wrote to memory of 2780	2880	csc.exe	32
PID 2880 wrote to memory of 2780	2880	csc.exe	32
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33
PID 2632 wrote to memory of 2684	2632	rt.exe	33

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atbmrbk1\atbmrbk1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F6.tmp" "c:\Users\Admin\AppData\Local\Temp\atbmrbk1\CSC13E514D19CDE4689BF778DA072B645F4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES56F6.tmp

Filesize
1KB

MD5
75905dbb93f6a76764447cc0672b0872

SHA1
83f035ebd361588d479ef03e3bf32423bb5e467a

SHA256
b452d9797ed70bf2a311cb84204572818d2e9c8b975593a530b5fe3cb228ca45

SHA512
4ca68d783050d149b4ea770cc9fd5afc0f0f3c0754c4ae4c511d87da89c8a37f9652fdc1cc3e07135026642b508f27ad80d1a12b117cb1c2adac8636ee7097db

Download Submit
C:\Users\Admin\AppData\Local\Temp\atbmrbk1\atbmrbk1.dll

Filesize
41KB

MD5
7ee1eea58c98890467b378750162fa38

SHA1
68bc61f307da25d09b29adc3c38b0ced80da2aaa

SHA256
77177aa9c69058bc944e96ec0935f9338bed64d7e8942773def60c73ad3989e7

SHA512
570db9adff7da58b868506d8665ab3cf75648c5526b8968d2930e04f1ef6fe0b45fa0e097442292d9aa9b03b731c8c41627bbcaceba4b3113f9aedca4bcffb22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atbmrbk1\CSC13E514D19CDE4689BF778DA072B645F4.TMP

Filesize
652B

MD5
3e595ea379d29090041729d65c85f59f

SHA1
e3cc26ff870d7333beec4139062cdfb5ffad0b0e

SHA256
0645aa3bc78390f4c3b647bb180e5d2efc2b7c992f9588219202c659946ff3e8

SHA512
fb2bd9f9f6c1d6b54f788475bb23ca5d9cfcfdf27638fa796b5551ad278a6cf88fc9c7e89d5c00dff0dd1abadfb3f9d78afda908a2672239cbf5d153fd578c83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atbmrbk1\atbmrbk1.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atbmrbk1\atbmrbk1.cmdline

Filesize
204B

MD5
4e92251c4ee302661ec61fb22c772405

SHA1
66a71bcdec575ffd2478f133e3408c03f2d47ed4

SHA256
80f1deb7e4cae4641aed4c5b80bbfc279b5c8d94e20b1a420308f4a5e7f8c08f

SHA512
628579c8b6123fe5441ed504e7ca5ced08fcc22f8a7a759b78bed5812349d70eca8ffc3e6c766e78c7d6bbae3268347d4da62ff10cff8dbf9f623ad83a30886a

Download Submit
memory/2632-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2632-5-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-15-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2632-28-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-29-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2684-30-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-31-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing