Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1yp9hszkcw
Target Dekbangtlez.exe
SHA256 0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd

Threat Level: Known bad

The file Dekbangtlez.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Xworm family

Detect Xworm Payload

Xworm

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:03

Reported

2024-10-29 22:04

Platform

win10ltsc2021-20241023-en

Max time kernel

30s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Dekbangtlez.exe N/A
N/A N/A C:\ProgramData\Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Dekbangtlez.exe N/A
N/A N/A C:\ProgramData\Dekbangtlez.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe

"C:\Users\Admin\AppData\Local\Temp\Dekbangtlez.exe"

C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe

"C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\Dekbangtlez.exe

"C:\ProgramData\Dekbangtlez.exe"

C:\ProgramData\Update.exe

"C:\ProgramData\Update.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode 70,10

C:\Windows\system32\mode.com

mode 70,10

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 fluxauth.com udp
US 172.67.131.205:80 fluxauth.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.12.23.50:443 tcp

Files

memory/1572-0-0x00007FFB4AEA3000-0x00007FFB4AEA5000-memory.dmp

memory/1572-1-0x0000000000850000-0x0000000000900000-memory.dmp

C:\Users\Admin\AppData\Roaming\Dekbangtlez.exe

MD5 c1ad42cb1379c36cd605cbd758bc5001
SHA1 1a471c3089ca4acc7bbef2423717ae8e89e8906c
SHA256 6d69c9b00d9af49c3267f0aa6c77cde27f9a37e60aa03849bc6796b94b2c8d59
SHA512 909f1b2b5f2ebd7486e5a2947b8e61d4688dc05906166cf227eff27a0021a4913ee25b4854dca928bc1b279a621041f260f58b46933043cbb128a6abf02c8c12

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/1428-30-0x0000000000010000-0x00000000000AA000-memory.dmp

memory/3960-32-0x0000000000970000-0x0000000000988000-memory.dmp

memory/1428-39-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

C:\ProgramData\Update.exe

MD5 da9a4e81a524746aaba1013d22b8fda1
SHA1 6069cf40c5989d407afceb1ad85b511278ac309e
SHA256 0f927c26e97088f77bcec0ce7c273d3b6674b0c3b31cd802f2a1999235f6a038
SHA512 34d05ead4af3468d5411b99c2027945cc37eb7633add16f169cdb0963dd533aee355ab0396dfea468abcbf557180f1d2c88f34a831aded1251be3b1a8206386c

C:\ProgramData\Dekbangtlez.exe

MD5 84416279a7351a91459d74dcea00fc7c
SHA1 5b9930ef311221e61a3ac7070ea423474e588f76
SHA256 c7b8225f79a9aee29c753d4442a1884711a73aa90956f055278f9fac083d1392
SHA512 1d712f30db5c75067bf50acf1015fbae0577e7c0b9242a6bff23e2c13648eca52d58e82f5a08d69cc8f80c72b4bcc6e8a6acd7797d725fa2349dca70871460e5

memory/3960-59-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

memory/4424-61-0x0000000000F50000-0x0000000000F6A000-memory.dmp

memory/1428-60-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dekbangtlez.exe.log

MD5 11c6e74f0561678d2cf7fc075a6cc00c
SHA1 535ee79ba978554abcb98c566235805e7ea18490
SHA256 d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA512 32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

memory/3960-63-0x00007FFB4AEA0000-0x00007FFB4B962000-memory.dmp