xworm | ae790bbbadeb38db0e345970612a859e0b9888c976d798105a48a81ced48ff40

Resubmissions

28/03/2025, 07:19

250328-h5ykcss1bx 10

28/03/2025, 07:15

250328-h29hfsvmy4 10

Analysis

max time kernel
23s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vanta Bundle.rar
Size

100KB
MD5

b622d4beb1f53e776cbe210b5c0bd3af
SHA1

c7a09721ad876715a9c419db5da263fe3dc1d905
SHA256

ae790bbbadeb38db0e345970612a859e0b9888c976d798105a48a81ced48ff40
SHA512

460ee20a7e044e7351bcb6534823ea28f30de20e71192571ef351b72e559719efd2ffc70f176fe39cc8c03c4c9e52f5ee26aa3897f76cca403a0eb0b6d45cd86
SSDEEP

1536:e19R7X+Z3yNPvbCrWNHdUUYtboOeJSpL0VblnPwVa/YgL1m2msA+N40rEVc:eByZcDCWY1NoOlpgVdwMnL1ZmN+N4wEe

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

documents-johnny.gl.at.ply.gg:63203:63203

documents-johnny.gl.at.ply.gg:63203

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024277-20.dat	family_xworm
behavioral1/memory/1072-28-0x0000000000E40000-0x0000000000E5C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Vanta Loader.exe

Executes dropped EXE 2 IoCs

pid	Process
448	Vanta Loader.exe
1072	working.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4400	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
448	Vanta Loader.exe
448	Vanta Loader.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4628	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4628	7zFM.exe
Token: 35	4628	7zFM.exe
Token: SeSecurityPrivilege	4628	7zFM.exe
Token: SeDebugPrivilege	448	Vanta Loader.exe
Token: SeDebugPrivilege	1072	working.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4628	7zFM.exe
4628	7zFM.exe
4628	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 448	4628	7zFM.exe	98
PID 4628 wrote to memory of 448	4628	7zFM.exe	98
PID 448 wrote to memory of 1072	448	Vanta Loader.exe	100
PID 448 wrote to memory of 1072	448	Vanta Loader.exe	100
PID 448 wrote to memory of 856	448	Vanta Loader.exe	101
PID 448 wrote to memory of 856	448	Vanta Loader.exe	101
PID 856 wrote to memory of 4400	856	cmd.exe	106
PID 856 wrote to memory of 4400	856	cmd.exe	106

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Vanta Bundle.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\7zO41211B97\Vanta Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41211B97\Vanta Loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Roaming\working.exe
    "C:\Users\Admin\AppData\Roaming\working.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gtag.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO41211B97\Vanta Loader.exe

Filesize
103KB

MD5
7c55349ebd2e7a02bb00f3da322fe324

SHA1
b311a9f3bd9384b1f0670829f8542efe6ee36669

SHA256
9f3f1e2fb2144b98704d12094feec42ee6f17a12d934717cc2641bd22d711faa

SHA512
80569369c223bef0617ddd72136a998eb05f3ff4185f093b714efa73f97452160e18b97112a5471469159caab6189a023aa5f51e0cb29a4b3a3eb5613d746e47

Download Submit
C:\Users\Admin\AppData\Roaming\gtag.bat

Filesize
1KB

MD5
b4d416c4dfceab87a7325ee4341699bb

SHA1
d7232afee2a44f312194d3354e9ddbdc6b3901f6

SHA256
eca30211d1de347ebaea342504e17dd310363498d672e88645f118407e0f7795

SHA512
d2cc348b0f1cb4b48f1ffa6278bc637c1a13e6ac4e1d344f31d12cc91e0d4662910cd0acf4d2aeee3077ccad33acf802c0d0edfaedaf900841ed0295371185fa

Download Submit
C:\Users\Admin\AppData\Roaming\working.exe

Filesize
89KB

MD5
747791250e775bccfa4839fd5f35458a

SHA1
d819242314aadc30b403da6de7bc26ba6d0e8dc4

SHA256
50114e2d618e027638d413dd2fee7565c0baa212d70f2d9e2503ec65f4aa2b18

SHA512
66aeff5ab0b500e6804883cc004b2325c64b867b7eea937b34a9154d82aa154e1410601cf23c89cda89c4b7b0d86f5e1c7322b087706282fb0b5b1c33bf8f960

Download Submit
memory/448-13-0x0000000000EF0000-0x0000000000F10000-memory.dmp

Filesize
128KB

Download
memory/448-12-0x00007FFABBA03000-0x00007FFABBA05000-memory.dmp

Filesize
8KB

Download
memory/448-14-0x00000000016B0000-0x00000000016D0000-memory.dmp

Filesize
128KB

Download
memory/448-16-0x00007FFABBA00000-0x00007FFABC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/448-32-0x00007FFABBA00000-0x00007FFABC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-28-0x0000000000E40000-0x0000000000E5C000-memory.dmp

Filesize
112KB

Download