xworm | 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a

General

Target

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
Size

295KB
MD5

570bc151bf5d20eea56d4ad306344238
SHA1

277af0f90afaa930f065b5d72a7fb06739031157
SHA256

1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
SHA512

bb0671bf524a17130188a7790d29e89dba58900018ffa5b10d6945776e569e1dffad0c073ed9ab8abd2785509dc7e1fd78e4502b913e15762ffa7581f4458b4a
SSDEEP

1536:qg8buvyxUMWFKVwVp8M+MZZ/cPRXjqV6jZXsWxRGQ/EuRTxcLgfBZN0wpfMgn8Es:qv66xUTGLL0hJ7bbAvDYkYjUar

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e681-14.dat	family_xworm
behavioral2/memory/376-15-0x0000000005750000-0x0000000005760000-memory.dmp	family_xworm
behavioral2/memory/3168-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 3792	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	88
PID 376 wrote to memory of 3792	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	88
PID 376 wrote to memory of 3792	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	88
PID 3792 wrote to memory of 2524	3792	csc.exe	90
PID 3792 wrote to memory of 2524	3792	csc.exe	90
PID 3792 wrote to memory of 2524	3792	csc.exe	90
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91
PID 376 wrote to memory of 3168	376	1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe	91

C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
"C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wylr4jn3\wylr4jn3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF57C.tmp" "c:\Users\Admin\AppData\Local\Temp\wylr4jn3\CSCC21F2BD1FE774C1EA879BA31D87CD3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF57C.tmp

Filesize
1KB

MD5
58e05d4cf55bffbb269e55547236bec1

SHA1
96d0c1a85b7811ce5255677697419b2fece355c6

SHA256
9facafaabf3a41e8e73c4be319f68bae1a0fe3a5b29258ec61fb599868a0e9d3

SHA512
1a40eab19bf65627162a372bf58ae605223b7b91f639c0c1a02185e5c5b9395cf13aa0d132ddcb2b8cefc9e71cf6657bfd313973d8ab08788aab2d36f9fd1bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wylr4jn3\wylr4jn3.dll

Filesize
41KB

MD5
f5c10a0758631d6f99f973df7718f9ee

SHA1
85cf78e4842f39befc5d3cd6b7cb7d52db2d1320

SHA256
6e04470fb7c229fa60570942f793d3e8614657bd0e1a43588af28b7f684a48db

SHA512
9e1bdcfeddc710bc28b63ca7d529c54724ae35182d9d626cb58475a3798affebf9686cc6574bf9c3859db0f4434b5d34ce134c4b5ea2a78d61a422d7a297fa9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wylr4jn3\CSCC21F2BD1FE774C1EA879BA31D87CD3.TMP

Filesize
652B

MD5
3f4c74a25a8784bf49b7f64d6501fc13

SHA1
8342e22a458a5261c7428add3c7c7b83d59c0b15

SHA256
e7ce65bf633b93b45fd45c4e82a61d0686df771ca94af8066f1d8e2cb6216b6c

SHA512
d7293e1336abfed17e7cca5b789af8392cc1b919dc356e12d3a54c8c9f0e8d902c4cdeda54a9a45c0afd5f8d494231bbe3e01c261764a072f417434141d22f36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wylr4jn3\wylr4jn3.0.cs

Filesize
101KB

MD5
fcb83d623452e1cafbc3b0ad5b3b5b73

SHA1
abc26af231584f50ca2ae6de25d4c4764eaf7a9f

SHA256
d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc

SHA512
41a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wylr4jn3\wylr4jn3.cmdline

Filesize
204B

MD5
562c180dda6d16babe883181bc030225

SHA1
8200aee7a4870e933547ff0950ea0792acf59d85

SHA256
f7124f34d9e8bbe1e0ea9f1d96930df99faacb6521cf204a7f95c02d87024f01

SHA512
8f2501e723b5003ead16fca48eb8be3c4b5ac96dfec220a24ea1890333fde27f7094530566b83b327c09ac4568d2772341cc046da0caae0857c30e185367247f

Download Submit
memory/376-15-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/376-5-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/376-1-0x0000000000E20000-0x0000000000E70000-memory.dmp

Filesize
320KB

Download
memory/376-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/376-19-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3168-21-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/3168-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3168-20-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3168-22-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3168-23-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3168-24-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3168-25-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3168-26-0x0000000006340000-0x00000000063D2000-memory.dmp

Filesize
584KB

Download
memory/3168-27-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing