Malware Analysis Report

2024-09-11 14:52

Sample ID 240609-1e63xsfh67
Target XClient (1).exe
SHA256 73a25e9ea9ab8041e1cf327ec49c93fccb61b740c671342d0988b4aea4234a0f
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73a25e9ea9ab8041e1cf327ec49c93fccb61b740c671342d0988b4aea4234a0f

Threat Level: Known bad

The file XClient (1).exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm family

Xworm

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 21:34

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 21:34

Reported

2024-06-09 21:38

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XClient (1).exe

"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.ip.gl.ply.gg udp
US 147.185.221.20:17450 20.ip.gl.ply.gg tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 147.185.221.20:17450 20.ip.gl.ply.gg tcp
US 147.185.221.20:17450 20.ip.gl.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.20:17450 20.ip.gl.ply.gg tcp
US 147.185.221.20:17450 20.ip.gl.ply.gg tcp

Files

memory/4808-0-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

memory/4808-1-0x0000000000D50000-0x0000000000D5E000-memory.dmp

memory/4808-2-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

memory/4808-3-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

memory/4808-4-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

memory/4808-5-0x00000000014F0000-0x00000000014FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 21:34

Reported

2024-06-09 21:36

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 21:34

Reported

2024-06-09 21:36

Platform

debian12-armhf-20240221-en

Max time network

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A