xworm | 6a2e733771d7f141eed2a6f50a0578d443339197a1d8037703b83fa0878ba79c

Analysis

max time kernel
134s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe
Size

36KB
MD5

bc3da510a60f0f44acb92231647e2878
SHA1

91e54702cc242937cb8b854ef894dc3268eeff51
SHA256

6a2e733771d7f141eed2a6f50a0578d443339197a1d8037703b83fa0878ba79c
SHA512

7736d1e360102a5f858da0214073c12c978977f2c075c94b86999fa2a561e4e7b6fe0634e40134700d437fd668cb8ae66e9ec1bc37d1f733de68bfa0d4cec9b2
SSDEEP

384:EHqouAgAkffHnjuNWoAgLWanS3FLZcWzWCu280wpkFMAfNLT2OZwxcV2v99IkHEO:uzuAinEWaRC4QFm9YkOMh4kG0

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

UxOlPOZZNwNV9srk

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/Dh8E7H3R

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4224-1-0x0000000000650000-0x0000000000660000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4224	17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4224	17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe

C:\Users\Admin\AppData\Local\Temp\17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4224-0-0x00007FFB33813000-0x00007FFB33815000-memory.dmp

Filesize
8KB

Download
memory/4224-1-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/4224-2-0x00007FFB33810000-0x00007FFB342D1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-3-0x00007FFB33810000-0x00007FFB342D1000-memory.dmp

Filesize
10.8MB

Download