xworm | 04cfe85ad9f84a7bb65c39ed40e209fdd61f3a3cb52d0606a9fc41f780a2ba1f

Analysis

max time kernel
127s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 16:00

Target

XClient.exe
Size

33KB
MD5

f869f9d64a8a01aff088f8c830a477dc
SHA1

0e8af0081201e0d423abc29ae6f2cd948c12ba97
SHA256

04cfe85ad9f84a7bb65c39ed40e209fdd61f3a3cb52d0606a9fc41f780a2ba1f
SHA512

0da21ecb4896f716b1fb3b3e8813eb268aabd84f1e51f29c24fc6b8349ccfbd377d957828b437882d5ef65c654001f25a65259777ecd18980cdd0116afde876c
SSDEEP

384:Cl8UlK/V9FoBZ9aZV0NLx7o92lKZaJZvf/95ApkFy7BLT/OZwpGmTv99IkcisOHh:qO/VMOGxwgJZvn9dFyJ9FoOjh4Jy

Score

10^/10

xworm rat trojan

Family

xworm

Version

5.0

sep-framing.gl.at.ply.gg:61526

Mutex

wCIHQbYCz8ryLWwh

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2292-1-0x0000000001100000-0x000000000110E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	XClient.exe
Token: SeDebugPrivilege	2292	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

memory/2292-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000001100000-0x000000000110E000-memory.dmp

Filesize
56KB

Download
memory/2292-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-3-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2292-4-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download