xworm | 5c7f2a41c842baab25b83b20bbec00f3d4fcd7489c5a74c0e7cf866334711a54

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 10:13

Target

XClient.exe
Size

33KB
MD5

5c7f9d7e424e55486da45c0496766c0d
SHA1

94798eaa3b48bc221d633e9b14670f954dc9e6a1
SHA256

5c7f2a41c842baab25b83b20bbec00f3d4fcd7489c5a74c0e7cf866334711a54
SHA512

35aae931410c53e02dfcdb9919643487b0a4af219f23cd60b53e2ea1f806d98916cd1cb556401cc396ef142c1d4ce0e4c333203d05541b6e321cccfd5b0da491
SSDEEP

384:f+i/Uua+vNijn/xVnzc6nLj7x3ZFsLcvSAOo5DRApkFTBLTsOZwpGN2v99IkuisX:na+vNkDpXx3HJvl1DVF89jaOjhpby

Score

10^/10

xworm rat trojan

Family

xworm

Version

5.0

109.125.129.2:7118

Mutex

c3X97UGU45i1bmvz

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2208-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

memory/2208-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/2208-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-3-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2208-4-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download