xworm | 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a

General

Target

fg.exe
Size

295KB
MD5

570bc151bf5d20eea56d4ad306344238
SHA1

277af0f90afaa930f065b5d72a7fb06739031157
SHA256

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
SHA512

bb0671bf524a17130188a7790d29e89dba58900018ffa5b10d6945776e569e1dffad0c073ed9ab8abd2785509dc7e1fd78e4502b913e15762ffa7581f4458b4a
SSDEEP

1536:qg8buvyxUMWFKVwVp8M+MZZ/cPRXjqV6jZXsWxRGQ/EuRTxcLgfBZN0wpfMgn8Es:qv66xUTGLL0hJ7bbAvDYkYjUar

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d0e-14.dat	family_xworm
behavioral1/memory/2004-15-0x0000000000360000-0x0000000000370000-memory.dmp	family_xworm
behavioral1/memory/2888-19-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2888-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2888-20-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2888-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2888-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 2888	2004	fg.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3036	2004	fg.exe	30
PID 2004 wrote to memory of 3036	2004	fg.exe	30
PID 2004 wrote to memory of 3036	2004	fg.exe	30
PID 2004 wrote to memory of 3036	2004	fg.exe	30
PID 3036 wrote to memory of 2544	3036	csc.exe	32
PID 3036 wrote to memory of 2544	3036	csc.exe	32
PID 3036 wrote to memory of 2544	3036	csc.exe	32
PID 3036 wrote to memory of 2544	3036	csc.exe	32
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33
PID 2004 wrote to memory of 2888	2004	fg.exe	33

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ose3lyeh\ose3lyeh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3F4.tmp" "c:\Users\Admin\AppData\Local\Temp\ose3lyeh\CSC15C3876851AF4A20A58684F4AA7826DF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB3F4.tmp

Filesize
1KB

MD5
dc54b55989359b554314fb249a433538

SHA1
f27ecf37280f7ab4dbe9cef9608b2bc0c904d376

SHA256
bfc3dcd7d7caadb87b076c179be1adc519a958a4e76821155856c5f7aee81e8d

SHA512
7221cbebea8413a3d4a9c6fe39cad2ae4ab600e356b23759c6742a8386e7b0e2a45afd227b34d53d3097daff7dc6a722e54340bcf6c42eb5624bbd499e1fd295

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose3lyeh\ose3lyeh.dll

Filesize
41KB

MD5
dcf92ae07ea512dfdcb62e225ea96e86

SHA1
8d63499909177123b6b0f51d8a07b6d32904d1a6

SHA256
ba821180af83e9747300e1dedfa6cd9d0908a2fff09c3915edafc3d79a584535

SHA512
59b25ac81a218cef13752c1e86d196e71845ee140d77dab359327dba9b4e06c1adf0464e18980f2499b7f9bd803e903b53538a3ad71226b18ceb094e7a8d8e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ose3lyeh\CSC15C3876851AF4A20A58684F4AA7826DF.TMP

Filesize
652B

MD5
b1d994eec430d7201a3bbef8c5d58db1

SHA1
a618beb2f4d8f186560e50be0590d1d8cb3a86aa

SHA256
aaf99522e452e92dad5f4bed94858ecb0f92be5000f79694cfb3ac910c84a4c5

SHA512
2a8066e82b9bf535acf0a32e7095effb69217ba74c4df8b50ff5cb7e22755146c8790c468d8f7fc15acb91116982b140b887991cda12469b13c7a98562897c9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ose3lyeh\ose3lyeh.0.cs

Filesize
101KB

MD5
fcb83d623452e1cafbc3b0ad5b3b5b73

SHA1
abc26af231584f50ca2ae6de25d4c4764eaf7a9f

SHA256
d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc

SHA512
41a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ose3lyeh\ose3lyeh.cmdline

Filesize
204B

MD5
e257f582aa77b931d315e58cd02effe6

SHA1
394a3810696d26410e9044981c484e7a97ffe0f7

SHA256
f63c08412fc66b80d74b96d89f38ed1b8e5653f246f2da78f4c16fd9399a0b35

SHA512
609e993ea01df2859a023a2be9fe2ba3eb31486c56c42f294744999475c2dd67a3dd36dbc27e3a5bcdf5e1059e3197ca26df483c2e695b72a53d8790e8aad5f3

Download Submit
memory/2004-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x0000000000040000-0x0000000000090000-memory.dmp

Filesize
320KB

Download
memory/2004-5-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2004-15-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2004-28-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-29-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-30-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-31-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-32-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing