Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    33KB

  • MD5

    f869f9d64a8a01aff088f8c830a477dc

  • SHA1

    0e8af0081201e0d423abc29ae6f2cd948c12ba97

  • SHA256

    04cfe85ad9f84a7bb65c39ed40e209fdd61f3a3cb52d0606a9fc41f780a2ba1f

  • SHA512

    0da21ecb4896f716b1fb3b3e8813eb268aabd84f1e51f29c24fc6b8349ccfbd377d957828b437882d5ef65c654001f25a65259777ecd18980cdd0116afde876c

  • SSDEEP

    384:Cl8UlK/V9FoBZ9aZV0NLx7o92lKZaJZvf/95ApkFy7BLT/OZwpGmTv99IkcisOHh:qO/VMOGxwgJZvn9dFyJ9FoOjh4Jy

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

sep-framing.gl.at.ply.gg:61526

Mutex

wCIHQbYCz8ryLWwh

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5064-0-0x00007FFDBE8A3000-0x00007FFDBE8A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5064-1-0x00000000008E0000-0x00000000008EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5064-2-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-3-0x00007FFDBE8A3000-0x00007FFDBE8A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5064-4-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp

    Filesize

    10.8MB

    Download