xworm | c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d

General

Target

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
Size

321KB
MD5

724cc4de405ed3db8a91c383cfc89f84
SHA1

45ca40cf798b7b2ea7216dba582d09dc83cd1bf5
SHA256

c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d
SHA512

2d3a4b342de5760091e6d6b77d5cdc8abad81ea9dea44bbeb37626f399c11d1405fd6eb8e2156330a684e2a3d28f6dd4ff93660816515896dc82f7a1f7d0d338
SSDEEP

6144:PzU2+BjwsX7+LtOKcvGj94+Y2MlP2yOjxK70NTDx9agjjkRE2aMoiFSV:PzU2+FwsX7+LtOKcvGj94+Y2MlP2yOj7

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d89-14.dat	family_xworm
behavioral1/memory/2120-15-0x0000000000260000-0x0000000000270000-memory.dmp	family_xworm
behavioral1/memory/2284-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2284-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2284-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2284-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2284-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2100	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	30
PID 2120 wrote to memory of 2100	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	30
PID 2120 wrote to memory of 2100	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	30
PID 2120 wrote to memory of 2100	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	30
PID 2100 wrote to memory of 2408	2100	csc.exe	32
PID 2100 wrote to memory of 2408	2100	csc.exe	32
PID 2100 wrote to memory of 2408	2100	csc.exe	32
PID 2100 wrote to memory of 2408	2100	csc.exe	32
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33
PID 2120 wrote to memory of 2284	2120	c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe	33

C:\Users\Admin\AppData\Local\Temp\c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe
"C:\Users\Admin\AppData\Local\Temp\c6e052c84a0ed1ad7f463704a5fafffcc845e5744a40eadb84867af10217501d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xygdlspy\xygdlspy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCAB.tmp" "c:\Users\Admin\AppData\Local\Temp\xygdlspy\CSC3B38A255576D425DADC2D8FED2CC342.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBCAB.tmp

Filesize
1KB

MD5
5fca4d79dcd09337e175fbf304dc4df2

SHA1
33f6a821b1b2b526e866dbf851169a2819ea29b2

SHA256
e99c59a8bf914a8690f1bee89693e44092cc3fc85a479ca66cf9bb7b52d5e63e

SHA512
0d289731d05a36cace7c84faa244e76d4598bcc2edacbbec1fb97ee8319c8de0bf037cc2ececd813c35ff65f510ef48a0d040de5a28ee1b67249a078ee079efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xygdlspy\xygdlspy.dll

Filesize
42KB

MD5
4453117a313e69dc4fda902e506c8c68

SHA1
333a13beee9636b564a1e7d1f60668f318818308

SHA256
9b7f50b281f9c1303248ddf56252fb2d6a469054f4b4d8b739cb8c4b01c6ff5a

SHA512
9bb036cdb63fdbd894fce6c1a1dfa4228368a412ca2b56394c8149114d4a0ba342f816504cbd75296db37cc5f5cc5ebaed6dd1ea66e0a6fbc9cedeb791d20774

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xygdlspy\CSC3B38A255576D425DADC2D8FED2CC342.TMP

Filesize
652B

MD5
a275cb3fed9ddea077019957422c98bb

SHA1
a86644b2652c7af2f508dc69e53355872a5875f9

SHA256
e455b7e143e252f99fb58e1da5f620ba158d22c27e2f9d1db4d5e095c1680790

SHA512
6c7e218368cd8621cc0955306abdc6834468b1ca9ae01acdee63052f2c41cffb0da91520530f6376782162e462eca9a2d0ffd89dae70861b0a55bba49387c22d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xygdlspy\xygdlspy.0.cs

Filesize
104KB

MD5
4c235e59a96c8c09a6f7e97b95772164

SHA1
7350cfb88fbf6a2e7a9b12ad85f12e174b22b76a

SHA256
3a8459f7033c4dec0a2a8ee37090fa2fe38a2013667c969ac870965deb0b8c8d

SHA512
0857cc0c6c0aa7204772873a02fbeb11a05d0c890241eedaee6bf4fdd3a4ceaf18e6d612c7e3d47ba1c077104cf91809b133dc2420864d16cd15315c2d47cdf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xygdlspy\xygdlspy.cmdline

Filesize
204B

MD5
188a219f57f962a6140eb11eab035766

SHA1
469626f7ce86330715f491bd50cba9bc84454375

SHA256
1bde87f25269f1b121520309bf7d2deb8162524ebfcdf4fd1c374e5c19708a1d

SHA512
fd3eb65c58d47da2a6fb07f4175d68a2b75be77247cdb533adaa6df5f4debaf5087166a22c3d62ebe6f69569b130dc09fd46dd41b08aa6e486aff35f82eb9f3b

Download Submit
memory/2120-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2120-1-0x00000000002C0000-0x0000000000316000-memory.dmp

Filesize
344KB

Download
memory/2120-5-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-15-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2120-28-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2284-29-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-30-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-31-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-32-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing