Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    30KB

  • MD5

    0d5c411182a5f01ea43a023f88057d01

  • SHA1

    c69b76f157d4809b4da5d6872521232291c9c481

  • SHA256

    127085327ea5c2e1aa2fa5a85ab2247931d7b289134e9adf0d54d58a964ad5b0

  • SHA512

    880ec195cf7afff240caa517fc1d815550a582502156b820b9ab7b999ad540f2be850abed2e1c5c2dacd27c89190ebae35fc987288841a5095489d81f41bb85c

  • SSDEEP

    768:Becbl/b37gMYAoRN9M2uBFE9RkOqhZbD:4cxS9M24FE9RkOq7P

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

192.168.0.1:8080

Mutex

fBzTMyzTpg15BaDk

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3340-0-0x0000000000A10000-0x0000000000A1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3340-1-0x00007FF85FA90000-0x00007FF860551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3340-2-0x0000000002C50000-0x0000000002C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3340-3-0x00007FF85FA90000-0x00007FF860551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3340-4-0x0000000002C50000-0x0000000002C60000-memory.dmp

    Filesize

    64KB

    Download