xworm | 11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e.exe
Size

41KB
MD5

86fbf5b376b5daae4018e7a1652b298e
SHA1

c91283deb333efb4c0db91bac8839e084cc58e27
SHA256

11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e
SHA512

801b2a8ec2f2d195e62fe994eaec43f1af2883559df7d03320b801b164e7a8ef8a13e332eb06e2fc6d071e4bb81d09cad2da817e5e17fb84e8a962dd6617217c
SSDEEP

768:+7yYO3CpRkfGG3XvgggPLJF5PG9pmajs6vOwhu3EuzE:yT6CpRvgXvvgtFI9Aajs6vOwkNQ

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

0.tcp.eu.ngrok.io:10358

6.tcp.eu.ngrok.io:10358

4.tcp.eu.ngrok.io:10358

Mutex

QvDYkhYsc5WBgCcl

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4800-1-0x00000000004F0000-0x0000000000500000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e.exe

C:\Users\Admin\AppData\Local\Temp\11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e.exe
"C:\Users\Admin\AppData\Local\Temp\11ea34f77c834c824bfb59472c4c26a23918c13e701797a484a5e86544f18e7e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4800-0-0x00007FFFFE6F3000-0x00007FFFFE6F5000-memory.dmp

Filesize
8KB

Download
memory/4800-1-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/4800-2-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-3-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download