xworm | 8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088

General

Target

8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
Size

315KB
MD5

918f83cd6d935bd729990142f8e276e0
SHA1

bd15b5a29a83b86d1ab177f16f6d0f3a54dc6741
SHA256

8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088
SHA512

c8e529a268fa1ca589d362538b9b9368a518cdead33cbe383dbb7ffdcced101950911e0cea4ebf0b5343583e48e3b8b490c3167874505a09d53da57cf25f05f1
SSDEEP

1536:LTJkxPIwcXpo/s/wyQC7CEJ0nMbYcj/RPc4YjDI4ox0V+s4jDu3Eyufeso1+qUQB:LNqP3UW/s4LQYGhcC1yufwqXYoQN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4708-15-0x0000000002610000-0x0000000002620000-memory.dmp	family_xworm
behavioral2/files/0x000200000001e717-14.dat	family_xworm
behavioral2/memory/3684-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4664	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	88
PID 4708 wrote to memory of 4664	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	88
PID 4708 wrote to memory of 4664	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	88
PID 4664 wrote to memory of 3516	4664	csc.exe	90
PID 4664 wrote to memory of 3516	4664	csc.exe	90
PID 4664 wrote to memory of 3516	4664	csc.exe	90
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91
PID 4708 wrote to memory of 3684	4708	8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe	91

C:\Users\Admin\AppData\Local\Temp\8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe
"C:\Users\Admin\AppData\Local\Temp\8f8830b812c8f50559cddc20140148f16c2c6681b8087da382aab91a1d22e088.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vchn1v3\4vchn1v3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7E1.tmp" "c:\Users\Admin\AppData\Local\Temp\4vchn1v3\CSC134E2E4D24B4021998A3622746E8CA4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4vchn1v3\4vchn1v3.dll

Filesize
41KB

MD5
ca1aff1276abf272603091578604c0b8

SHA1
bf358e7e80ad832c98c1df3c627b22998e94b618

SHA256
d9b28d4d6e996617b738c3c32dbcb30a7d8dfd6f5e5cecdd701bb9a9ab32dd47

SHA512
38033f0d9ae8965c762240c83e144f470cbcbba7254f376e76eb7ff6540c3b515e8f21c8927fd4f1e03e71e4de45104308c5ab7fe89a1c660fce4cf887417ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD7E1.tmp

Filesize
1KB

MD5
ae1b5642e5c7152b30dacc5cbfa3a70e

SHA1
f5ec1df099e2f5369acc6b9dcf49b74bbb015b5a

SHA256
9aad73dcc727eb12473dd2146f15e3d20ad23437668e40fc02fa3a5ecb81bbb3

SHA512
63e135d163daba2ea24375a9dbf420c750cfa6d536c24407e9386a1ce5e83816b10b8eb835a686f775fa01777b68c99e9abe1e345ba809eda3878253a68341e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vchn1v3\4vchn1v3.0.cs

Filesize
101KB

MD5
321752ec5d5fef01d4f146035796f9df

SHA1
a46dbf6fb95d498fd733d4fde9a3d1b5917ba1f3

SHA256
9e9c63652e73aeaf0904794cfe6428f5f72faa493a6d9815dadceb3ef911a393

SHA512
5a52ac4a13f4bb6b5813fc3ca446e3366e4902acb7675356a2d675ee612d2bd3affdebc1c446e59a1cc2ab64640b59a09b2e00c25729ccb4c93b1985249b9d73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vchn1v3\4vchn1v3.cmdline

Filesize
204B

MD5
f5791241c2d90fd5d19ac30a7226f6ee

SHA1
bd3fd9173628db66bc2ab3da20e7be4bbc511e87

SHA256
7d6544be693862c4f5c6a685d62049005b3cae77f10a0b34addf96b44de8398d

SHA512
97eec324397ce23c36faa42eec4c1eba77939ddcde2a9151f2e51888ddd6213f0becb02e792b288f6b4a75a124b5f81fad1caa96f417b47932071ab00a520698

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vchn1v3\CSC134E2E4D24B4021998A3622746E8CA4.TMP

Filesize
652B

MD5
71017077faee5222ede700ac9e7b5147

SHA1
5b1d1b634bf7df63efe66e0cf8175e0046f17ca2

SHA256
2003d4c648d90f50aff32097578d399195e141b0543cebc843da2c1153e925fb

SHA512
e3fe2757fc251c45d7b553297ecd2f8621e6dca9b7be472053fc1294906233451829c73c42c6abfb60540f345ca6d8b345676cca6d70336868a0ddec83af37ff

Download Submit
memory/3684-23-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3684-27-0x00000000066E0000-0x0000000006C84000-memory.dmp

Filesize
5.6MB

Download
memory/3684-26-0x0000000006090000-0x0000000006122000-memory.dmp

Filesize
584KB

Download
memory/3684-25-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/3684-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3684-19-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/3684-24-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/3684-21-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/3684-22-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/4708-15-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/4708-20-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/4708-1-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/4708-5-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/4708-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing