xworm | 8950ce8d0d34da93e1540029b4ff17f127b8619dea6f0e5c90a0d9a78368f52a

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 16:45

Target

xwormport.exe
Size

80KB
MD5

8b6c64186bf08072e4204ec3bde4147c
SHA1

8381d71213c367c4dab4fbf9b33e081e339ad215
SHA256

8950ce8d0d34da93e1540029b4ff17f127b8619dea6f0e5c90a0d9a78368f52a
SHA512

fbc3b75b348f5345f1534f6e740fd696b85c4f2a4f88a616af52fd6d7ccb7b13b0427c0d5e0e7626d0561cba534c5792f54e00f24cc1fd97f7f3ce9ec11e1404
SSDEEP

1536:+VNL/GiQfNlMYojPrZeHdD+8VKjuM4UKbdqmkmuH5f6Yf/JTOjaeKLz4:MNiiOPMXjPrZoD7Kju9UKbdSZRfxTOjx

Score

10^/10

xworm rat trojan

Family

xworm

MadeInMood1-40937.portmap.host:40937

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2032-1-0x0000000000350000-0x000000000036A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	xwormport.exe

C:\Users\Admin\AppData\Local\Temp\xwormport.exe
"C:\Users\Admin\AppData\Local\Temp\xwormport.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

memory/2032-0-0x00007FFA473E3000-0x00007FFA473E5000-memory.dmp

Filesize
8KB

Download
memory/2032-1-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2032-2-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-3-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download