xworm | c4cf13df8afc3f1f55f9fd30807958839110721316c19f1b0692bc99cb9921bf

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 16:04

Target

Fulloption_3.0.exe
Size

88KB
MD5

94be15b6d23986b1f085d036649dbdb1
SHA1

c871893da78093673b57d616044e61ade9209301
SHA256

c4cf13df8afc3f1f55f9fd30807958839110721316c19f1b0692bc99cb9921bf
SHA512

c62824c0e9f356e214f03577539380d2dac73f7da9768a8a6c7c63b59267c34ccd3c8211762de26b21c38162fd069714a4877594d3d9a2182ce0af5925104636
SSDEEP

1536:pvWgDObMMtlpgcHcR4FwdjGb1A4hJG6bPOhhWqAmoUxl:pvWH2wwYb1Ag7OipmD

Score

10^/10

xworm rat trojan

Family

xworm

127.0.0.1:7000

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2780-1-0x0000000000150000-0x000000000016C000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	Fulloption_3.0.exe

C:\Users\Admin\AppData\Local\Temp\Fulloption_3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Fulloption_3.0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

memory/2780-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2780-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-3-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2780-4-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download