xworm | 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a

General

Target

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
Size

295KB
MD5

570bc151bf5d20eea56d4ad306344238
SHA1

277af0f90afaa930f065b5d72a7fb06739031157
SHA256

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
SHA512

bb0671bf524a17130188a7790d29e89dba58900018ffa5b10d6945776e569e1dffad0c073ed9ab8abd2785509dc7e1fd78e4502b913e15762ffa7581f4458b4a
SSDEEP

1536:qg8buvyxUMWFKVwVp8M+MZZ/cPRXjqV6jZXsWxRGQ/EuRTxcLgfBZN0wpfMgn8Es:qv66xUTGLL0hJ7bbAvDYkYjUar

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00080000000164de-14.dat	family_xworm
behavioral1/memory/1804-15-0x0000000000A60000-0x0000000000A70000-memory.dmp	family_xworm
behavioral1/memory/2700-31-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2700-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2700-27-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2700-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2700-21-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1216	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	30
PID 1804 wrote to memory of 1216	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	30
PID 1804 wrote to memory of 1216	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	30
PID 1804 wrote to memory of 1216	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	30
PID 1216 wrote to memory of 2352	1216	csc.exe	32
PID 1216 wrote to memory of 2352	1216	csc.exe	32
PID 1216 wrote to memory of 2352	1216	csc.exe	32
PID 1216 wrote to memory of 2352	1216	csc.exe	32
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33
PID 1804 wrote to memory of 2700	1804	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	33

C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
"C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bpe4jjqa\bpe4jjqa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC227.tmp" "c:\Users\Admin\AppData\Local\Temp\bpe4jjqa\CSC6C5C28EE1EE4459584E8F118484CB850.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC227.tmp

Filesize
1KB

MD5
d2a229b6682d7132cb17145a9088da1d

SHA1
ca19d7547fd88de64b8faf88ebf5bf9a702e48fd

SHA256
207c54ddc6ee4d56c96edbf14e53b90473fab9b3702a3a6832bbb2029380acad

SHA512
ff3c5bfc19a124a3466dd7ba8eb329ba912ac51d12ef4a147feee3d9cc38a1a0bca966d43da7e0e22fd0c24868a2a6ec6e122c6584ca88ad5430980cf94f3fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpe4jjqa\bpe4jjqa.dll

Filesize
41KB

MD5
dc2239b97a7d007ee18eee65254fc4fd

SHA1
017d0b26474bf94f01c5ba44d1d48dbd9dfbb739

SHA256
8beeae6c69ebaeb2312b35ce2d873730531b8913ebce4112b6e63b33da5f01a3

SHA512
51de043fde27016e369ac114295499c7bef14fb2410279e89fe7bd2dc0ff723ee68ebda687f3afdcd73aa15e6ccb14f8d0fbeb1f4714140359f2f64453052fd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bpe4jjqa\CSC6C5C28EE1EE4459584E8F118484CB850.TMP

Filesize
652B

MD5
b935aeb1fb65a2bc415393e9c1de6498

SHA1
ed45a8cc7059fa4963f1077374308334f926482c

SHA256
4011bd6228ddfbdbba1312d2352f4e34255545adf7de2bc7920b379f0ac6f973

SHA512
6f45e8c73ab70c2ca53f02810b0f35452a0484074fa035f82b5d1534c7bfce7c46176574659e5334d9000582fd02d9b9f2c288360fcfad176afa05145b32fdfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bpe4jjqa\bpe4jjqa.0.cs

Filesize
101KB

MD5
fcb83d623452e1cafbc3b0ad5b3b5b73

SHA1
abc26af231584f50ca2ae6de25d4c4764eaf7a9f

SHA256
d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc

SHA512
41a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bpe4jjqa\bpe4jjqa.cmdline

Filesize
204B

MD5
0466caf94aea55c3f094acc25b022ec9

SHA1
aa9d6d40330bdf5c2240514a857523aeecd1a6c3

SHA256
dd444d6096d0bb494ec6c1286cb72d9e8f7fd27f1b221d3cb8b3d00ea9198e63

SHA512
a3c92305e55a26dca7f52dc586742d3e6f31fe36ab30fb07d855d6daa8e5818a1ccdbfe148cbc8906f4ce28aabd89bb323c27f4c8b8d6049badfe4b5ecb574c9

Download Submit
memory/1804-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x00000000013E0000-0x0000000001430000-memory.dmp

Filesize
320KB

Download
memory/1804-5-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-15-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1804-32-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-33-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-34-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-35-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-36-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing