xworm | 76d6669ad68b7c67e39555f80daed39819d51f97ec0632e0a4d50b61df0955c0

Analysis

max time kernel
145s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-01-2025 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

5e952647a6578cfaf9fdfced5f01f7be
SHA1

f3455100f4d55dcfd93773d54721b079f8d83061
SHA256

76d6669ad68b7c67e39555f80daed39819d51f97ec0632e0a4d50b61df0955c0
SHA512

b0f3d10e291e2726e15db39c138c48f4fa79e79fdf5603d2f7d560f5908a48627844d70793471e0527eae417db1f1f04b2ec986711226518bacbc50f73e7f4fa
SSDEEP

384:0l0UMD9SszMJ11DcS/i8L7zZ3ZFsLcvSAOo6PRApkFTBLTsOZwpGN2v99IkuisVK:AoD9vQB3Z3HJvlOPVF89j9OjhGb1

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

0.tcp.eu.ngrok.io:17946

Mutex

ojRX841cSUsfpUcT

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1656-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	0.tcp.eu.ngrok.io
31	0.tcp.eu.ngrok.io
47	0.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	XClient.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-0-0x00007FFF3CEB3000-0x00007FFF3CEB5000-memory.dmp

Filesize
8KB

Download
memory/1656-1-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/1656-2-0x00007FFF3CEB0000-0x00007FFF3D972000-memory.dmp

Filesize
10.8MB

Download
memory/1656-3-0x00007FFF3CEB3000-0x00007FFF3CEB5000-memory.dmp

Filesize
8KB

Download
memory/1656-4-0x00007FFF3CEB0000-0x00007FFF3D972000-memory.dmp

Filesize
10.8MB

Download