XWorm RAT

翻譯為：

威脅評分卡

Popularity Rank:	4,286
威胁级别：	80 % (高的)
受感染的计算机：	312

初见：	April 24, 2023
最后一次露面：	January 22, 2026
受影响的操作系统：	Windows

XWorm 惡意軟件被識別為遠程訪問木馬 (RAT) 類別的威脅。 RAT 專門設計用於網絡犯罪分子對受害者計算機進行未經授權的訪問和控制。通過使用 RAT，攻擊者可以遠程監控和觀察用戶活動、竊取敏感數據，並根據其具體目標在受感染的系統上執行各種惡意操作。據研究人員稱，XWorm RAT 的開發商以 400 美元的價格出售。

XWorm RAT 可以竊取廣泛的敏感信息

XWorm RAT 擁有廣泛的功能，使其成為網絡犯罪分子手中高度複雜且危險的威脅。其主要功能之一是能夠從受害者的計算機上秘密竊取有價值的系統信息。 RAT 可以從流行瀏覽器竊取敏感數據。 XWorm 可以從 Chromium 瀏覽器中提取密碼、cookie、信用卡詳細信息、書籤、下載、關鍵字和瀏覽歷史記錄。同樣，它可以竊取 Firefox 瀏覽器的密碼、cookie、書籤和歷史記錄，極大地損害受害者在線活動的安全。

此外，XWorm 的功能涵蓋針對各種應用程序和服務。它可以竊取 Telegram 會話數據、Discord 令牌、WiFi 密碼、Metamask 和 FileZilla 數據。此外，XWorm 還可以訪問註冊表編輯器、記錄擊鍵、運行勒索軟件來加密文件並索要贖金，以及操縱剪貼板數據、服務和進程。

除了信息盜竊之外，XWorm 還具有執行文件的能力，使攻擊者能夠在受感染的系統上運行各種惡意程序和有效負載。此外，該特洛伊木馬還可以未經授權訪問受害者的網絡攝像頭和麥克風，從而嚴重侵犯隱私並允許攻擊者監視受害者的活動。 XWorm 的影響範圍進一步擴大，因為它可以打開 URL、執行 shell 命令和管理文件，從而有效地讓攻擊者完全控制受害者的計算機。

攻擊者甚至可以使用 XWorm 啟用或禁用關鍵系統組件和功能，例如用戶帳戶控制 (UAC)、註冊表編輯器、任務管理器、防火牆和系統更新。調用藍屏死機 (BSoD) 的能力給受害者的系統增加了另一層破壞和潛在損害。

XWorm RAT 可用於在被破壞的設備上傳遞勒索軟件有效負載

XWorm 的一項重要功能是其進行勒索軟件攻擊的能力。勒索軟件正在威脅加密文件的軟件，如果沒有特定的解密密鑰就無法訪問它們。隨後，XWorm 的運營商可以要求受害者付款，以換取受害者提供必要的解密軟件以重新獲得對加密文件的訪問權限。

此外，據觀察，網絡犯罪分子利用 XWorm 進行剪貼板劫持。該技術涉及惡意軟件監控和攔截複製到受害者剪貼板的數據，特別關注替換加密貨幣錢包地址。例如，如果受害者復制比特幣、以太坊或其他加密貨幣錢包地址，XWorm 會檢測到該數據並將其替換為網絡犯罪分子擁有的錢包地址。因此，受害者無意中將資金發送到黑客的錢包，而不是預期的收件人地址。

XWorm RAT 中觀察到的廣泛惡意功能還包括鍵盤記錄功能。鍵盤記錄涉及秘密捕獲和記錄用戶在受感染系統上進行的所有鍵盤輸入的有害過程。這意味著密碼、登錄憑據、敏感消息和其他個人信息會被秘密記錄並傳輸到攻擊者的命令和控制服務器。

分析报告

一般信息

Family Name:	Keylogger.XWormRAT
Signature status:	No Signature

Known Samples

MD5: 8393544e67726805f0c88ccda151372c

SHA1: 2e161a4086a183403597d0a6b0ae9ea0c9d19037

SHA256: 36D605F10AE3233010B4BE32CF6B75501B3D332C95CF56E54001FD8C7A8389CE

文件大小: 2.97 MB, 2971648 bytes

MD5: 6c081bbee7b8c0dede2869a2d239d3c3

SHA1: 53c9351e354d5466b49786b2b6afafee30d822ee

SHA256: 9114C4BDC17A52B091638AE86A2D788EDA113CDC94925B3343A483F2EFC396BD

文件大小: 11.78 KB, 11776 bytes

MD5: 0ae34e0fa21b649ebfc90052b713682a

SHA1: ce89172965fe3205dc28014db093c5c19a3e1236

SHA256: 2A0EA0B7D49FF3D309AB51EC94B06C7370EFC5D7AA5200F05D130F27EEC9762E

文件大小: 55.30 KB, 55296 bytes

MD5: 5d7149ceedf9f6ae4fbe58771daeec84

SHA1: 4ed9ef1ed31a9dda24b488f10a0799003a1ab0fe

SHA256: 7334C22939E917D6D9E4B3F849F07F7FA6D34D9787692B3DCA06145B3D7EBF4B

文件大小: 44.54 KB, 44544 bytes

MD5: e27820ce232dfe90f0e7eda36614d2d1

SHA1: 46523ea3b60c6987d20b0751296b7d3de874e6d7

SHA256: 1FC75F0B36B7DF183678BE72F3B225ACC04A5B450D67D2E1AF42DEE53A243805

文件大小: 2.07 MB, 2074112 bytes

MD5: 4489cbaa5dc8e45ad3293280175bda02

SHA1: 6a2f992055737bd58e936c01c86ed965034dce57

SHA256: D95B28A388740E01832E83FCCFB6EB8B07188C36FFDCC5D73FA9D00754946459

文件大小: 265.73 KB, 265728 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have security information
File has exports table
File has TLS information
File is .NET application
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application

File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

姓名	价值
Assembly Version	1.0.0.0
Company Name	Synaptics
File Description	dSoft Synaptics Pointing Device Driver uninstall
File Version	1.0.0.4 1.0.0.0
Internal Name	dSoft.exe License Editor.exe Quantis.exe SearchSystem.exe uninstall.dll
Legal Copyright	Copyright © 2020 Copyright © 2021
Original Filename	dSoft.exe License Editor.exe Quantis.exe SearchSystem.exe uninstall.dll
Product Name	dSoft Synaptics Pointing Device Driver uninstall
Product Version	1.0.0.0

File Traits

.NET
00 section
2+ executable sections
dll
HighEntropy
Installer Version
NewLateBinding
ntdll
RijndaelManaged
Run

Block Information

Total Blocks:	74
Potentially Malicious Blocks:	41
Whitelisted Blocks:	20
Unknown Blocks:	13

Visual Map

0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x x ? x x x x x x x x 0 x x x x x ? ? ? ? x ? ? x x x ? ? x x ? x x x ? 0 x x x x x 0 0 x x x x x x x x x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.BypassUAC.K
MSIL.BypassUAC.LC
MSIL.BypassUAC.P
MSIL.Downloader.CAYD
MSIL.Rozena.GG

Files Modified

File	Attributes
c:\users\user\ce89172965fe3205dc28014db093c5c19a3e1236_0000055296	Generic Write,Read Attributes

Registry Modifications

Key::Value	数据	API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey

HKLM\software\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey

Windows API Usage

Category	API
Other Suspicious	AdjustTokenPrivileges SetWindowsHookEx
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserObjectInformation
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort Show More ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThread ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtWaitForAlertByThreadId 8 additional items are not displayed above.
Encryption Used	BCryptOpenAlgorithmProvider
Process Manipulation Evasion	ReadProcessMemory
Network Winsock2	WSAConnect WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	closesocket freeaddrinfo getaddrinfo recv send setsockopt
Network Winhttp	WinHttpOpen
Network Info Queried	GetAdaptersAddresses GetNetworkParams

EnigmaSoft 的支付處理商 Digital River GmbH 申請破產並不影響 SpyHunter 客戶的反惡意軟體保護

搜索

更改區域

XWorm RAT

威脅評分卡

EnigmaSoft 威胁记分卡

XWorm RAT 可以竊取廣泛的敏感信息

XWorm RAT 可用於在被破壞的設備上傳遞勒索軟件有效負載

分析报告

一般信息

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

提交評論

熱門

Axischainedge.com

MegaETH註冊騙局

Imorportabless.com

最受關注

如何修復“打印機驅動程序不可用”錯誤

Discord 在共享屏幕時顯示黑屏

如何修復“macOS 無法驗證此應用程序沒有惡意軟件”