Multi-License Discount Quote
Threat Database Malware XWorm RAT

XWorm RAT

By Mezo in Malware, Remote Administration Tools, Stealers
Translate To:

Threat Scorecard

Popularity Rank: 4,286
Threat Level: 80 % (High)
Infected Computers: 312
First Seen: April 24, 2023
Last Seen: January 22, 2026
OS(es) Affected: Windows

The XWorm malware is identified as a threat from the Remote Access Trojan (RAT) category. RATs are specifically designed to enable unauthorized access and control of a victim's computer by cybercriminals. With the use of RATs, attackers can remotely monitor and observe user activities, pilfer sensitive data, and execute a wide range of malicious operations on the compromised system, depending on their specific goals. According to researchers, the XWorm RAT is offered for sale by its developers at a price point of $400.

The XWorm RAT Can Steal a Wide Range of Sensitive Information

XWorm RAT possesses an extensive array of capabilities that make it a highly sophisticated and dangerous threat in the hands of cybercriminals. One of its primary functionalities is the ability to steal valuable system information from the victim's computer stealthily. The RAT can steal sensitive data from popular browsers. XWorm can extract passwords, cookies, credit card details, bookmarks, downloads, keywords, and browsing history from Chromium browsers. Similarly, it can pilfer passwords, cookies, bookmarks, and history from Firefox browsers, greatly compromising the security of the victim's online activities.

Moreover, XWorm's capabilities encompass targeting a variety of applications and services. It can steal Telegram session data, Discord tokens, WiFi passwords, Metamask and FileZilla data. Additionally, XWorm can access the Registry Editor, log keystrokes, run ransomware to encrypt files and demand a ransom, and manipulate clipboard data, services and processes.

Beyond information theft, XWorm has the capability to execute files, granting attackers the power to run various malicious programs and payloads on the compromised system. Additionally, the Trojan can gain unauthorized access to the victim's webcam and microphone, posing a significant invasion of privacy and allowing attackers to monitor the victim's activities. XWorm's reach extends even further as it can open URLs, execute shell commands, and manage files, effectively giving attackers complete control over the victim's computer.

The attackers can even use XWorm to enable or disable critical system components and features such as User Account Control (UAC), Registry Editor, Task Manager, Firewall and system updates. The ability to invoke the Blue Screen of Death (BSoD) adds another layer of disruption and potential damage to the victim's system.

The XWorm RAT Could Be Used to Deliver Ransomware Payloads on the Breached Devices

One significant capability of XWorm is its ability to conduct ransomware attacks. Ransomware is threatening software that encrypts files, making them inaccessible without a specific decryption key. Subsequently, XWorm's operators can demand payment from the victim in exchange for providing the necessary decryption software to regain access to the encrypted files.

In addition, XWorm has been observed being utilized by cybercriminals for clipboard hijacking. This technique involves malware monitoring and intercepting data copied to a victim's clipboard, with a specific focus on replacing cryptocurrency wallet addresses. For instance, if a victim copies a Bitcoin, Ethereum, or other cryptocurrency wallet address, XWorm detects the data and replaces it with a wallet address owned by the cybercriminals. Consequently, victims unwittingly send their funds to the hackers' wallet instead of the intended recipient's address.

The expansive range of malicious capabilities observed in the XWorm RAT also includes a keylogging functionality. Keylogging involves the harmful process of clandestinely capturing and recording all keyboard inputs made by a user on an infected system. This means that passwords, login credentials, sensitive messages, and other personal information are surreptitiously recorded and transmitted to the attacker's Command and Control server.

Analysis Report

General information

Family Name: Keylogger.XWormRAT
Signature status: No Signature

Known Samples

MD5: 8393544e67726805f0c88ccda151372c
SHA1: 2e161a4086a183403597d0a6b0ae9ea0c9d19037
SHA256: 36D605F10AE3233010B4BE32CF6B75501B3D332C95CF56E54001FD8C7A8389CE
File Size: 2.97 MB, 2971648 bytes
MD5: 6c081bbee7b8c0dede2869a2d239d3c3
SHA1: 53c9351e354d5466b49786b2b6afafee30d822ee
SHA256: 9114C4BDC17A52B091638AE86A2D788EDA113CDC94925B3343A483F2EFC396BD
File Size: 11.78 KB, 11776 bytes
MD5: 0ae34e0fa21b649ebfc90052b713682a
SHA1: ce89172965fe3205dc28014db093c5c19a3e1236
SHA256: 2A0EA0B7D49FF3D309AB51EC94B06C7370EFC5D7AA5200F05D130F27EEC9762E
File Size: 55.30 KB, 55296 bytes
MD5: 5d7149ceedf9f6ae4fbe58771daeec84
SHA1: 4ed9ef1ed31a9dda24b488f10a0799003a1ab0fe
SHA256: 7334C22939E917D6D9E4B3F849F07F7FA6D34D9787692B3DCA06145B3D7EBF4B
File Size: 44.54 KB, 44544 bytes
MD5: e27820ce232dfe90f0e7eda36614d2d1
SHA1: 46523ea3b60c6987d20b0751296b7d3de874e6d7
SHA256: 1FC75F0B36B7DF183678BE72F3B225ACC04A5B450D67D2E1AF42DEE53A243805
File Size: 2.07 MB, 2074112 bytes
Show More
MD5: 4489cbaa5dc8e45ad3293280175bda02
SHA1: 6a2f992055737bd58e936c01c86ed965034dce57
SHA256: D95B28A388740E01832E83FCCFB6EB8B07188C36FFDCC5D73FA9D00754946459
File Size: 265.73 KB, 265728 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Company Name Synaptics
File Description
  • dSoft
  • Synaptics Pointing Device Driver
  • uninstall
File Version
  • 1.0.0.4
  • 1.0.0.0
Internal Name
  • dSoft.exe
  • License Editor.exe
  • Quantis.exe
  • SearchSystem.exe
  • uninstall.dll
Legal Copyright
  • Copyright © 2020
  • Copyright © 2021
Original Filename
  • dSoft.exe
  • License Editor.exe
  • Quantis.exe
  • SearchSystem.exe
  • uninstall.dll
Product Name
  • dSoft
  • Synaptics Pointing Device Driver
  • uninstall
Product Version
  • 1.0.0.0

File Traits

  • .NET
  • 00 section
  • 2+ executable sections
  • dll
  • HighEntropy
  • Installer Version
  • NewLateBinding
  • ntdll
  • RijndaelManaged
  • Run
Show More
  • x86

Block Information

Total Blocks: 74
Potentially Malicious Blocks: 41
Whitelisted Blocks: 20
Unknown Blocks: 13

Visual Map

0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x x ? x x x x x x x x 0 x x x x x ? ? ? ? x ? ? x x x ? ? x x ? x x x ? 0 x x x x x 0 0 x x x x x x x x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.BypassUAC.K
  • MSIL.BypassUAC.LC
  • MSIL.BypassUAC.P
  • MSIL.Downloader.CAYD
  • MSIL.Rozena.GG

Files Modified

File Attributes
c:\users\user\ce89172965fe3205dc28014db093c5c19a3e1236_0000055296 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
Show More
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId

8 additional items are not displayed above.

Encryption Used
  • BCryptOpenAlgorithmProvider
Process Manipulation Evasion
  • ReadProcessMemory
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams

Trending

Most Viewed

Loading...