xworm | 2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/11/2024, 09:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe
Size

35KB
MD5

06816c1ba5f896e555820b1f2f5926d0
SHA1

c5e9df298b0b0029a6411564cd278063e39c71a6
SHA256

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a
SHA512

6ed74f39beb5a4a52ba3953ff33bd2c9687048ed71a2b9d0cf80cf9f4229ae6e3e7fcc47d6f2115582b2876419036c07aa6c17ad6a93f11e831089168197a3f7
SSDEEP

384:QqtdZi5eAKu6VztV/MH3uY2AU7LpCkjx5e5h/KwGkzaubf0nc/C7WX3yO5I2jz7y:Yy2BGpC4Len/KwG4vbZVdq22CJ9UhFM

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
Sistem X64.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1336-0-0x0000000000CD0000-0x0000000000CE0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe

C:\Users\Admin\AppData\Local\Temp\2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe
"C:\Users\Admin\AppData\Local\Temp\2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 08 Nov 2024 09:37:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 5
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

98.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.117.19.2.in-addr.arpa

IN PTR

Response

98.117.19.2.in-addr.arpa

IN PTR

a2-19-117-98deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe

310 B
266 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

2d6c0c98d1025f342d82141ed5873c1b67b6ad7ed9034a13770f3227371d0c5a.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

98.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.117.19.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-1-0x00007FF9C0CF0000-0x00007FF9C0FB9000-memory.dmp

Filesize
2.8MB

Download
memory/1336-0-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/1336-2-0x00007FF9C0CF0000-0x00007FF9C0FB9000-memory.dmp

Filesize
2.8MB

Download
memory/1336-3-0x00007FF9C0CF0000-0x00007FF9C0FB9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.