xworm | 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a

General

Target

fg.exe
Size

295KB
MD5

570bc151bf5d20eea56d4ad306344238
SHA1

277af0f90afaa930f065b5d72a7fb06739031157
SHA256

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
SHA512

bb0671bf524a17130188a7790d29e89dba58900018ffa5b10d6945776e569e1dffad0c073ed9ab8abd2785509dc7e1fd78e4502b913e15762ffa7581f4458b4a
SSDEEP

1536:qg8buvyxUMWFKVwVp8M+MZZ/cPRXjqV6jZXsWxRGQ/EuRTxcLgfBZN0wpfMgn8Es:qv66xUTGLL0hJ7bbAvDYkYjUar

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00050000000229c7-14.dat	family_xworm
behavioral2/memory/3392-15-0x0000000005210000-0x0000000005220000-memory.dmp	family_xworm
behavioral2/memory/436-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3392 set thread context of 436	3392	fg.exe	95

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4260	3392	fg.exe	91
PID 3392 wrote to memory of 4260	3392	fg.exe	91
PID 3392 wrote to memory of 4260	3392	fg.exe	91
PID 4260 wrote to memory of 3084	4260	csc.exe	94
PID 4260 wrote to memory of 3084	4260	csc.exe	94
PID 4260 wrote to memory of 3084	4260	csc.exe	94
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95
PID 3392 wrote to memory of 436	3392	fg.exe	95

C:\Users\Admin\AppData\Local\Temp\fg.exe
"C:\Users\Admin\AppData\Local\Temp\fg.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wnz5gkzt\wnz5gkzt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES950C.tmp" "c:\Users\Admin\AppData\Local\Temp\wnz5gkzt\CSC9580088BBE4845198680FF63DC7A6BD5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES950C.tmp

Filesize
1KB

MD5
62d3eedbe450241a8dd808b26e8a243f

SHA1
d98edcdc40be6a475144b5d7dad26395bcdc41ed

SHA256
397003d41648b141a3338204f25b398ba6d6441c76736f9295b7b1570efbb802

SHA512
de7ca83c2f56897d2acedbd31d3679eabd500269291af09985c30d73d116282aaca8a9c1b0305b402a5aa8115d5c1fbdde2471204f68bc24d00dd79796f2059a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnz5gkzt\wnz5gkzt.dll

Filesize
41KB

MD5
b4c8ba3f5c8da1eab69aef62094ba26c

SHA1
1282b7bb60b1ea49fa244b21b91bd0ef10d52275

SHA256
e2a0f146a20112ba5af5422a636aa020d7167836ed7f4b12fb2d8f7dc702b9c3

SHA512
89efd5fa2aa07bbacd789549ed49faf5c29a67e3accd1f0f7218a4c47293a0b46e7a678d8f5561fe14e8e9f1777e5c7effef41bafa9b17ee4cd8691e5472c058

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnz5gkzt\CSC9580088BBE4845198680FF63DC7A6BD5.TMP

Filesize
652B

MD5
4ed06f798fafd639ad8206556dcded80

SHA1
6d12c094acd3016df71ac5b236f9712630becc6e

SHA256
858fe3e2d7dae8f2d2c65bb2db48015097be9dfcffed4d6ba34598f47e3c5b97

SHA512
b4d84b79443bba3ebff223750d802fb8baf271a5c010a3a37437c6a78e0d5b69e4d74f658dee1845f5bae7ba88b8a170c4deb71a5f5f14bf731ec529ad542fad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnz5gkzt\wnz5gkzt.0.cs

Filesize
101KB

MD5
fcb83d623452e1cafbc3b0ad5b3b5b73

SHA1
abc26af231584f50ca2ae6de25d4c4764eaf7a9f

SHA256
d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc

SHA512
41a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnz5gkzt\wnz5gkzt.cmdline

Filesize
204B

MD5
c39f78972e98d2680cdfcf77290e1c85

SHA1
25946e03755a976ed2d4c9d328dd771de8d47d39

SHA256
beaeb87ae537d6f783ff6673ae062d09a435db92a376cf36586088a998b0655d

SHA512
c88f8194084cf62b8a9ac00baa08693b23cf1b751192448f51cbffc2d6c9813d212fa539e2f2e3ac2c4ef6680bcd0cd4039b609940bbcf4c71e527e90914b979

Download Submit
memory/436-21-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/436-24-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/436-27-0x00000000065F0000-0x0000000006B94000-memory.dmp

Filesize
5.6MB

Download
memory/436-26-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/436-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/436-25-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/436-20-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/436-23-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/436-22-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/3392-0-0x000000007537E000-0x000000007537F000-memory.dmp

Filesize
4KB

Download
memory/3392-5-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/3392-19-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/3392-15-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3392-1-0x00000000008E0000-0x0000000000930000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing