xworm | 72236b0c3065f7c3d5fdb92c12360ba861da775d04575a0dd2e24c49cfc72903

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0852070946c994c917dc120520af8bb0c482c583ee46c7f97af0d7d0b5cb879fN.exe
Size

142KB
MD5

264c15ac721a2f333c487e4f10cf5dd6
SHA1

b7b452dd8e88dc47572061b563f33c05b6d8acbc
SHA256

72236b0c3065f7c3d5fdb92c12360ba861da775d04575a0dd2e24c49cfc72903
SHA512

0c3f91e80a019ecd55d9dbf820fd38d61b640a8e4f0d5ee0e5b2a076f788c8ca4aa1194a5c444d9cb22d528355911263815708cceceeb0e3872fa0fdb7799f4b
SSDEEP

768:EG2ZOWZ42nxujIXvgggCLJF5PG9pm9X6vOwh03Emzk621sIwEk4w00wIF:EG2bZ42n0UXvvgcFI9Ah6vOwO9HEUF

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

rather-obtain.gl.at.ply.gg:41839

Mutex

H1dYqdAbVrDWBJtu

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3056-1-0x0000000000050000-0x0000000000078000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	0852070946c994c917dc120520af8bb0c482c583ee46c7f97af0d7d0b5cb879fN.exe

C:\Users\Admin\AppData\Local\Temp\0852070946c994c917dc120520af8bb0c482c583ee46c7f97af0d7d0b5cb879fN.exe
"C:\Users\Admin\AppData\Local\Temp\0852070946c994c917dc120520af8bb0c482c583ee46c7f97af0d7d0b5cb879fN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3056-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000000050000-0x0000000000078000-memory.dmp

Filesize
160KB

Download
memory/3056-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/3056-3-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download