xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

rt.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b96-14.dat	family_xworm
behavioral2/memory/3504-15-0x00000000034A0000-0x00000000034B0000-memory.dmp	family_xworm
behavioral2/memory/3176-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 3176	3504	rt.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4972	3504	rt.exe	89
PID 3504 wrote to memory of 4972	3504	rt.exe	89
PID 3504 wrote to memory of 4972	3504	rt.exe	89
PID 4972 wrote to memory of 4116	4972	csc.exe	93
PID 4972 wrote to memory of 4116	4972	csc.exe	93
PID 4972 wrote to memory of 4116	4972	csc.exe	93
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94
PID 3504 wrote to memory of 3176	3504	rt.exe	94

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcdqnzlv\hcdqnzlv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F90.tmp" "c:\Users\Admin\AppData\Local\Temp\hcdqnzlv\CSC580FE1E458E4961A2D7748E7FE532E0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7F90.tmp

Filesize
1KB

MD5
90aeb118e728063e54afb2725eb1ee6b

SHA1
1be7cb73e13a6314f508349e923887bacde9b08d

SHA256
ac467fafcd1def3d9abeb5eadbebd1be64932bb68980e9dd9bbfe192b9459f7e

SHA512
2c9fcabd7029cee078301799e5e03c2b9fd219ab4177ef61fedee765051e0d04bb7ed8cf43bb181ec28425b6b73532219bd40d8586355ec403b50bcc8b263926

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdqnzlv\hcdqnzlv.dll

Filesize
41KB

MD5
835fffe1a3e0d557b1bf2c9b5e9a3935

SHA1
e4486ddc2050845dbcd70ba29a923933ad32ddfd

SHA256
b04d96a20fef4fb0801e298bbc43491f463ca3a21e13764f33b3c12e6d97d25b

SHA512
14cc1a54307921c561d64a35f3a8ad3ef7e6652dac471d4d1452974872aee30838faaaf605047dd6f03bfda2ada3e94b1e69563dda00a82075ced738a28c8706

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdqnzlv\CSC580FE1E458E4961A2D7748E7FE532E0.TMP

Filesize
652B

MD5
e2e213d91a4f282591d8d3c29d6dd771

SHA1
49af27ecad5017304d713c8b73a1f3a8399e313a

SHA256
3f50eac0b651b56d5f0fe73d61cbf0b443fb3360d84ed16a28420f9967dc9821

SHA512
20c9bd90f4b771e6d9054edb357882d00997de6547d649d4137e612ab86eefea72ee86f36c35cd4a6960c4b30c5e987fa336c147c01f3227369da15dbd31a4fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdqnzlv\hcdqnzlv.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdqnzlv\hcdqnzlv.cmdline

Filesize
204B

MD5
e8777375acde597b35154a221e94eaa2

SHA1
c69ad10b3cbbe9658c0f33563e29a07702f80a19

SHA256
5c9a28eb7f1c3483d51ce2a04bf3dbd0139997efe42b2dca6056261484a7eb03

SHA512
90c2c923e900f53f5565fb83d6ac1ecfd09b765eec10e420b56fd6d7384b2330f431862ff22cfe2c959d42ebfd2f9bd314d86ab3cba9cb150549a6a34a57735a

Download Submit
memory/3176-21-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/3176-24-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/3176-27-0x0000000006F10000-0x00000000074B4000-memory.dmp

Filesize
5.6MB

Download
memory/3176-26-0x00000000067C0000-0x0000000006852000-memory.dmp

Filesize
584KB

Download
memory/3176-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3176-20-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3176-25-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3176-23-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3176-22-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3504-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/3504-5-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3504-19-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3504-15-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/3504-1-0x0000000000FB0000-0x0000000001004000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing