xworm | 919161265bdda133ab4c6693baa0d603c7713ca71636d262c1d3a5805d28d05d

General

Target

Xeno.exe
Size

3.0MB
MD5

158b3d88e3cebfa581703ee917bad272
SHA1

759c69673d8326e8e73e72297bf0ac4eb1e0a217
SHA256

919161265bdda133ab4c6693baa0d603c7713ca71636d262c1d3a5805d28d05d
SHA512

023af21a4c339559124df0d5cc280dfa63d7824ea7474c92f95cfa04b482bd879ff359b1511f8bd4e35f2344bae84fadb8ff8f784d792575197f1aba9211f189
SSDEEP

49152:ytlcyXfHnaBTof9ePCjkIAm1skqXfd+/9A9ByClY1v/a/ehH7pNLLn2:yfZXfHaFoCIvqkqXf0FglY1XOe97vLn

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

earth-northwest.gl.at.ply.gg:49617

Mutex

jek2DMhZuJKlksdl

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019490-9.dat	family_xworm
behavioral1/memory/1148-13-0x0000000000210000-0x0000000000220000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2544	BOOTSTRAPPERNEW.EXE
1148	SOLARA.EXE
1156	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1704	Xeno.exe
1704	Xeno.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	SOLARA.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2544	1704	Xeno.exe	31
PID 1704 wrote to memory of 2544	1704	Xeno.exe	31
PID 1704 wrote to memory of 2544	1704	Xeno.exe	31
PID 1704 wrote to memory of 2544	1704	Xeno.exe	31
PID 1704 wrote to memory of 1148	1704	Xeno.exe	32
PID 1704 wrote to memory of 1148	1704	Xeno.exe	32
PID 1704 wrote to memory of 1148	1704	Xeno.exe	32
PID 1704 wrote to memory of 1148	1704	Xeno.exe	32

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERNEW.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERNEW.EXE"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARA.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERNEW.EXE

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
\Users\Admin\AppData\Local\Temp\SOLARA.EXE

Filesize
40KB

MD5
6aaa04f906e1966d6d97b0855ea1fa7f

SHA1
8b08c6ae9f383b8d819e852552c2ea7af707f51e

SHA256
619979ec317a16e0a29953786279c36294f2b78338f152242f6536d458819262

SHA512
0cf695a4b8367f28196e329ccdbec7877cb55cefa548a6388d12977951225f20cc70bf99ce575433cf51c30546e03e765121bd2f8b89bdefa703d7e4e50f6383

Download Submit
memory/1148-13-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2544-19-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2544-21-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2544-15-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/2544-16-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/2544-18-0x000000001E2F0000-0x000000001E3F0000-memory.dmp

Filesize
1024KB

Download
memory/2544-7-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2544-20-0x0000000000E10000-0x0000000000E36000-memory.dmp

Filesize
152KB

Download
memory/2544-14-0x0000000001170000-0x0000000001452000-memory.dmp

Filesize
2.9MB

Download
memory/2544-22-0x0000000001150000-0x0000000001166000-memory.dmp

Filesize
88KB

Download
memory/2544-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2544-24-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2544-25-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2544-27-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2544-28-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing