xworm | 234ee4f7eaa9fa4de4c99636f93eceae368fa3b8fc7fd7d0d4ff4dd246cc0c66

Analysis

max time kernel
119s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 19:15

Target

GDsploit.exe
Size

74KB
MD5

a404cf6997c234e386c2c286464299fa
SHA1

19ab46be2a1b22b9dee6dd58039242077d89ef32
SHA256

234ee4f7eaa9fa4de4c99636f93eceae368fa3b8fc7fd7d0d4ff4dd246cc0c66
SHA512

751f257cb96fad5c7ba1021b8f6140e9b113469cb3ff5a143c25e2bf2d89832ef2bb68d252de3bcdc8ea645252f213df570c33d5d17a97f9babe1b06c5c855c8
SSDEEP

1536:bJVH0C0q4NXqbQV/MLcRkhAb4YU92mi8D6GG6j2OnNjHAcFcaNG:bJVH0VNab4wzyb4YXmV6GCONjHJRG

Score

10^/10

xworm rat trojan

Family

xworm

23.ip.gl.ply.gg:9024

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000320000-0x0000000000338000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	GDsploit.exe

C:\Users\Admin\AppData\Local\Temp\GDsploit.exe
"C:\Users\Admin\AppData\Local\Temp\GDsploit.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

memory/2424-0-0x00007FFD8B303000-0x00007FFD8B305000-memory.dmp

Filesize
8KB

Download
memory/2424-1-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download
memory/2424-2-0x00007FFD8B300000-0x00007FFD8BDC1000-memory.dmp

Filesize
10.8MB

Download
memory/2424-3-0x00007FFD8B300000-0x00007FFD8BDC1000-memory.dmp

Filesize
10.8MB

Download