General
-
Target
XWorm-Rat-Remote-Administration-Tool--main.zip
-
Size
5.0MB
-
Sample
240628-ch78dsvhkf
-
MD5
ed997c518b1affa39a5db6d5e1e38874
-
SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf
-
SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556
-
SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7
-
SSDEEP
98304:7jsOrfOedjeCSFFEYhqox9mv7Ys7q2f2AIRUeIV1iwLZnnpha75mlf2:7jLSCSFFEYrbA77q2+BS5nLbEX
Behavioral task
behavioral1
Sample
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
asyncrat
1.0.7
def
37.18.62.18:8060
era2312swe12-1213rsgdkms23
-
delay
1
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Targets
-
-
Target
XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
-
Size
12KB
-
MD5
f922206889c896cf2d86f21e9f9db7db
-
SHA1
046b00f2edb34982db266d903627ced283f4a5ea
-
SHA256
1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3
-
SHA512
abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965
-
SSDEEP
192:wLwX9CLPN0LjrJUMmYVY2aq3xWrhSaadrq8uSF3u:owNCLPN0/9UMme313UrhSJUSF
Score1/10 -
-
-
Target
XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
-
Size
1.9MB
-
MD5
4904329d091687c9deb08d9bd7282e77
-
SHA1
bcf7fcebb52cad605cb4de65bdd077e600475cc7
-
SHA256
e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
-
SHA512
b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
SSDEEP
24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
-
Size
3.2MB
-
MD5
339b7f92641c0f5161731fc681aaeb3a
-
SHA1
21d2d89e9ade90df638f33d314ac68e30f6aa52e
-
SHA256
b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c
-
SHA512
58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134
-
SSDEEP
24576:o08GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35/5Mb6:4/TjrHWKWDOQko29ueJsq8z
Score1/10 -
-
-
Target
XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
-
Size
52KB
-
MD5
0c2d61d64f4325ca752202e5bf792e9e
-
SHA1
e7655910a124dd10beb774a693f7caccf849b438
-
SHA256
d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1
-
SHA512
1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46
-
SSDEEP
768:mqUR8bIL+Cyq+DiZtelDSN+iV08Ybygem++2O3vEgK/Jd/yVNNECVc6KN:mxIeZtKDs4zb1uBO3nkJIrqCVclN
-
-
-
Target
XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
-
Size
12KB
-
MD5
6967b97ce4ff4524883a196a97736275
-
SHA1
6fdf2b9adc16b40a06bacc7db0abee917ef4abd3
-
SHA256
e2bddf56324addac02678a7fd8d9c3da24ad55132883ad826a1a60eaf4e4a034
-
SHA512
c71525d49e36975cb43535cff5176409163b14f53b644e3d161fd56f7514f0affbda051541a07d9af4cdc45a564dfad20a23584701499a0f03e531219c9f72be
-
SSDEEP
192:zLlo6IXsbK9CLPN0LWyJUMmYVY2QQq33WrmRaadrq8uSF3:PljIeyCLPN0CUUMme3o3mrmRJUSF
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-