Malware Analysis Report

2024-11-16 13:40

Sample ID 240531-xzkhwaab5v
Target Способ для робуксов.exe
SHA256 f38da3e39db37247e99bcbebfcd72a7ccc5811bbb1a7aef61ee310d15f7b1564
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f38da3e39db37247e99bcbebfcd72a7ccc5811bbb1a7aef61ee310d15f7b1564

Threat Level: Known bad

The file Способ для робуксов.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm family

Xworm

Detect Xworm Payload

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:17

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:17

Reported

2024-05-31 19:20

Platform

win11-20240419-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe

"C:\Users\Admin\AppData\Local\Temp\Способ для робуксов.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.20:5417 glass-coffee.gl.at.ply.gg tcp
US 147.185.221.20:5417 glass-coffee.gl.at.ply.gg tcp
US 147.185.221.20:5417 glass-coffee.gl.at.ply.gg tcp

Files

memory/3244-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp

memory/3244-1-0x0000000000780000-0x00000000007AC000-memory.dmp

memory/3244-2-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

memory/3244-3-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp

memory/3244-4-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

memory/3244-5-0x000000001B350000-0x000000001B35C000-memory.dmp

memory/3244-6-0x000000001B6E0000-0x000000001B76E000-memory.dmp