xworm | f00488f82909c15a73035d47562eba75d37938325d7b3f4ceda881aa493d82fc

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 17:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

57KB
MD5

c9c9acd68627f7369b66c70a8cd7a95e
SHA1

3e9739a048f42438d65e65b6ce29a924ff8d56d1
SHA256

f00488f82909c15a73035d47562eba75d37938325d7b3f4ceda881aa493d82fc
SHA512

e33c116c318b8561541ad31f8087d4a260423eaf7922db3b03462a7d99bfff73b00d9f2cda9814f38b30f7b84f89d2bea9743322318e805ca451fdf76fbaae4c
SSDEEP

1536:FBtAJqjhkPjl5RXDokbrsY06RjpqIOrmE:FBtAJ0hajlDokbrzRsIOr5

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

choice-virgin.gl.at.ply.gg:64988

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1952-1-0x0000000000D00000-0x0000000000D14000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

107.211.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.211.222.173.in-addr.arpa

IN PTR

Response

107.211.222.173.in-addr.arpa

IN PTR

a173-222-211-107deploystaticakamaitechnologiescom
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

choice-virgin.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

choice-virgin.gl.at.ply.gg

IN A

Response

choice-virgin.gl.at.ply.gg

IN A

147.185.221.20
DNS

choice-virgin.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

choice-virgin.gl.at.ply.gg

IN A

Response

choice-virgin.gl.at.ply.gg

IN A

147.185.221.20
DNS

20.221.185.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.221.185.147.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

11.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.173.189.20.in-addr.arpa

IN PTR

Response

147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

1.0kB
356 B
8
8
147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

1.0kB
356 B
8
8
147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

1.0kB
356 B
8
8
147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

1.0kB
356 B
8
8
147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

1.0kB
356 B
8
8
147.185.221.20:64988

choice-virgin.gl.at.ply.gg

XClient.exe

730 B
184 B
4
4

8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

107.211.222.173.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

107.211.222.173.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

choice-virgin.gl.at.ply.gg

dns

XClient.exe

144 B
176 B
2
2

DNS Request

choice-virgin.gl.at.ply.gg

DNS Request

choice-virgin.gl.at.ply.gg

DNS Response

147.185.221.20

DNS Response

147.185.221.20
8.8.8.8:53

20.221.185.147.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

20.221.185.147.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

11.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-0-0x00007FFC29A93000-0x00007FFC29A95000-memory.dmp

Filesize
8KB

Download
memory/1952-1-0x0000000000D00000-0x0000000000D14000-memory.dmp

Filesize
80KB

Download
memory/1952-2-0x00007FFC29A90000-0x00007FFC2A551000-memory.dmp

Filesize
10.8MB

Download
memory/1952-3-0x00007FFC29A93000-0x00007FFC29A95000-memory.dmp

Filesize
8KB

Download
memory/1952-4-0x00007FFC29A90000-0x00007FFC2A551000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.