xworm | acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 13:53

Target

acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626N.exe
Size

68KB
MD5

24499b028bf23690f76cb0d804a1f170
SHA1

f15645349a4105719c01641b0472aba22fd68875
SHA256

acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626
SHA512

cf5111951db932067ceedfe2e0721d35a9bdf9f2f08c94ba45647d6107fb747a8840dde9ec70f94090ed4c8393649c0284162bbcd106dfb9e02943a999b1a260
SSDEEP

1536:Ha/rUMmH6WzNdd/to66hb7vbecFdwkbhyQ53OQM89vxwJ:Hqr+dtoNb7/fwGvODSS

Score

10^/10

xworm rat trojan

Family

xworm

77.232.132.25:4450

<Xwormmm>:111

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4828-1-0x0000000000BC0000-0x0000000000BD8000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626N.exe

C:\Users\Admin\AppData\Local\Temp\acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626N.exe
"C:\Users\Admin\AppData\Local\Temp\acabf76fd20fe5ab70b051bb8adbb78e80fb4ee289a63eba696dee79f0d95626N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

memory/4828-0-0x00007FFA7BF23000-0x00007FFA7BF25000-memory.dmp

Filesize
8KB

Download
memory/4828-1-0x0000000000BC0000-0x0000000000BD8000-memory.dmp

Filesize
96KB

Download
memory/4828-2-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-3-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download