xworm | 2d4742b50b053e1fee4d654a2f698402a5da6e9a584e73b83fb7ee7119c425e8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/11/2024, 18:37

Target

2024-11-10_bb2fb269c54f442475ad7648f92bf335_hiddentear.exe
Size

183KB
MD5

bb2fb269c54f442475ad7648f92bf335
SHA1

a98a9cba1ee408ea3482a4c1b1d029dc06b6c485
SHA256

2d4742b50b053e1fee4d654a2f698402a5da6e9a584e73b83fb7ee7119c425e8
SHA512

013ceb31fda3c3e703110629edc6c9a5ae08c8a0c71be26093837fbb89f22b3c0b2f68a3c818af1f6fb70b3f6116c47b3a097937270ec561d57eefc005f51885
SSDEEP

3072:wWzX+9uQ5p6ku+6bpifXN6O01TM+lmsolAIrRuw+mqv9j1MWLQ1:Ycr+6bGd9+lDAA

Score

10^/10

xworm rat trojan

Family

xworm

godschild-57347.portmap.host:57347

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2012-1-0x00000000008C0000-0x00000000008F4000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	2024-11-10_bb2fb269c54f442475ad7648f92bf335_hiddentear.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-10_bb2fb269c54f442475ad7648f92bf335_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_bb2fb269c54f442475ad7648f92bf335_hiddentear.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

memory/2012-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x00000000008C0000-0x00000000008F4000-memory.dmp

Filesize
208KB

Download
memory/2012-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-3-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/2012-4-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download