xworm | 167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf

General

Target

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe
Size

315KB
MD5

47db83a48f4ce42a918802f20de2728f
SHA1

676554792c422bd78cc6763efc863b52c9c41ac8
SHA256

167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf
SHA512

54a99695dba773bae591fba6ac9c5c5c9e9f0742ff1c40ebbc316b32fc8a4738e43515ab1977abe1f560d170023c73bdfcc710aaedc79fa0c1bea5b342e5b694
SSDEEP

1536:yzJC0dKuaIOz7Q0gLkUAg4YvRjYEBIU3joFpCm26oq7kd4m4sMXLiIRTCbpvYLsf:ytCmW49aSpgFXm1cC5gYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

92.255.85.66:7000

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015694-14.dat	family_xworm
behavioral1/memory/3036-15-0x00000000002C0000-0x00000000002D0000-memory.dmp	family_xworm
behavioral1/memory/2904-26-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2904-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2904-24-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2904-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2904-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2652	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	30
PID 3036 wrote to memory of 2652	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	30
PID 3036 wrote to memory of 2652	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	30
PID 3036 wrote to memory of 2652	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	30
PID 2652 wrote to memory of 2756	2652	csc.exe	32
PID 2652 wrote to memory of 2756	2652	csc.exe	32
PID 2652 wrote to memory of 2756	2652	csc.exe	32
PID 2652 wrote to memory of 2756	2652	csc.exe	32
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33
PID 3036 wrote to memory of 2904	3036	167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe	33

C:\Users\Admin\AppData\Local\Temp\167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe
"C:\Users\Admin\AppData\Local\Temp\167f580207b3f640e0b68cbd3bf38770f7499c8be0b4f6deddbc7c8d212120bf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00bi5w54\00bi5w54.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BCB.tmp" "c:\Users\Admin\AppData\Local\Temp\00bi5w54\CSCE066DAB9B9B450B912AA1564F21C7A7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00bi5w54\00bi5w54.dll

Filesize
41KB

MD5
c10491df86982a7ac4cf80846aaf69f0

SHA1
8f8385f1a8789bd2dc2ad20a117b86caf9b6fe96

SHA256
394245e1602f8ea52d3799d23386e97506205511875ae5431c566ae123d8af03

SHA512
d414be453b1559854b51f08b5fdd5803cedd8f867f36f35e919a798c9fe854d5edafaa4fa77e30a9f5a2292d3af06fe732fef0a3ab3f9244e97147cdea480e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BCB.tmp

Filesize
1KB

MD5
7623829026e2160f5f8a0b760e908adb

SHA1
bb5c43bf2a3f99dca24589aef2be238d16515468

SHA256
cee2ce862de736dfae8047bee5248a77e25c33199f020ab4af52c217885cac24

SHA512
15f0bf432566897754ebe109248a18178c4b0f3f9d903185f1b02155cbc4be7e2774341023b949aa8b524fbbe03ad4a227c5285c5904673df2d98dbedca33c8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\00bi5w54\00bi5w54.0.cs

Filesize
101KB

MD5
b7d84d4752fcef0d27c1c6f62d557f7a

SHA1
92c0d7e926329f5e997f3b9753d9d3db42f18c24

SHA256
81f1e49e831871b44b80ef805a6e39d33166acc9f74dfc7e61689d33a2379908

SHA512
250f62f087245ffc81b1cd3d0bd0d27748e4cb20c9452c4f97ccd69bf903d275996be8607a6ba05a50bbf089f18ac1423db9074d9845a010ae440037866ea54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\00bi5w54\00bi5w54.cmdline

Filesize
204B

MD5
474c89db074cf1f20f85b50be03e9879

SHA1
469726a6a3f87729684d36dea64f673be6da2995

SHA256
93d45135e4577ac455320432068681a2ed4ed5c6dd8930d64dc3756cd5565e64

SHA512
4c77eefb05c8ba76446338ebd8c4a5ba713cf37b1546b42b117aa06f6865653cf1ae14f8f6ed498eca9d08c773f09b16561bb7cd9ce55eeaf53641040ab3092a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\00bi5w54\CSCE066DAB9B9B450B912AA1564F21C7A7.TMP

Filesize
652B

MD5
720b5dc67b6772e552128744089652a9

SHA1
49fa8ad6f7e697a1385e89ef9c463b5352d11c60

SHA256
73ff29f536e19a07025d073f6627eee22f86b2366f968df58fbef846957a8d89

SHA512
75b7467a248340e8e6a8090166753114defbb5f640161f09f623738f54bd3cfad383e7a44b95961fe28bcef9986e7ed98f10faa900baa873c9e8bd6769e1b7e9

Download Submit
memory/2904-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-30-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-33-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-32-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-26-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-31-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3036-29-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-5-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/3036-15-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/3036-1-0x0000000000010000-0x0000000000064000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing