xworm | dd458b587ff13c0b865db4ac110b5797c68c05d7573dcb2056b998c82f3585ae

Analysis

max time kernel
439s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-11-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient (1).exe
Size

32KB
MD5

0c1836af4d2a75384dfae7e45763e4cb
SHA1

ba75a54681028892c77ec70226a03834576589d9
SHA256

dd458b587ff13c0b865db4ac110b5797c68c05d7573dcb2056b998c82f3585ae
SHA512

e674f386a34fbfbe7101c6cc8a43ac2416d3ff04a84e208ae16a01b8e6edee73d4bcbc5de16a5d4d94f06f2051273cecf285ffc5fdfa80eb64c90c10af12e2eb
SSDEEP

384:aEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFOzldRApkFTBLTsOZwpGd2v99Ikuispf:TVa+vNtg+PB93Tw4OldVFE9jcOjhYbN

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

80.76.49.227:9999

Mutex

2G2GCFyKfM7BM0l4

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4936-1-0x0000000000B90000-0x0000000000B9E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1516	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	XClient (1).exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2536	4936	XClient (1).exe	80
PID 4936 wrote to memory of 2536	4936	XClient (1).exe	80
PID 2536 wrote to memory of 1516	2536	cmd.exe	82
PID 2536 wrote to memory of 1516	2536	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5641.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5641.tmp.bat

Filesize
163B

MD5
589562f8ab5a8b5fa479630b28befc00

SHA1
3eef34ca1eee46d2c0e7a44ea6889ca4ddf0a520

SHA256
fd96fce12a9242af8333bcc70c9bbba636d9cc9fa5986362ef39241192aebc17

SHA512
b36cec2a76c0019dbf06a0cff15af09b50bf1e3d368749e0e5fb03b5cba1ef4570bb532d8ff347f8a4b3bdc7a1f770b232ac9b2cf3d2bfa8ac22ef0f8a2e0eff

Download Submit
memory/4936-0-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

Filesize
8KB

Download
memory/4936-1-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/4936-2-0x00007FF9EA4C0000-0x00007FF9EAF82000-memory.dmp

Filesize
10.8MB

Download
memory/4936-3-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

Filesize
8KB

Download
memory/4936-4-0x00007FF9EA4C0000-0x00007FF9EAF82000-memory.dmp

Filesize
10.8MB

Download
memory/4936-9-0x00007FF9EA4C0000-0x00007FF9EAF82000-memory.dmp

Filesize
10.8MB

Download