xworm | 43c3a1c79760f8d07c0c99dce1d8840f92df0c29e4a421bb973a1628c1ccb595

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

250KB
MD5

54d014f0850b34d0ce91b642cae732c2
SHA1

2897c4b23173e00d37516cbebe5d40381a375057
SHA256

43c3a1c79760f8d07c0c99dce1d8840f92df0c29e4a421bb973a1628c1ccb595
SHA512

dbc8463f7da9bf6cc1543a2e341d2b41678c06633a3a36569d5da06080443dcb2c754ef7ccc7fc1313c36382308e74650925d0bc4815d2cab06fdc6c43f64f55
SSDEEP

1536:omVhUrwLdAJEm5pkbrID1PkzxDl+gVOVm2kVBUxD0jOhkpzRf0nv:1V3dgkbrINkL+gVOVm9oylf0nv

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1028-0-0x0000000000B00000-0x0000000000B44000-memory.dmp	family_xworm
behavioral1/memory/1028-2-0x000000001AFC0000-0x000000001B040000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-0-0x0000000000B00000-0x0000000000B44000-memory.dmp

Filesize
272KB

Download
memory/1028-1-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1028-2-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/1028-3-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1028-4-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download