xworm | 4bcc85712b15132783ec43ba4f34f528f1a0dc9b3a62328fb15eefeebfb53820

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveCrack_Setup.exe
Size

40KB
MD5

8287a8adc30dc0247fe326b7911915c1
SHA1

86cb67ef4c3b5050388d55a52fc6c12eb719e5f2
SHA256

4bcc85712b15132783ec43ba4f34f528f1a0dc9b3a62328fb15eefeebfb53820
SHA512

4e8a3debc0bdb01ae1c93a0cb6840b0f19c2a84637d2624d680a638707ae96e89488539a342ca79e93bdfb1fb539a627c61c98aea0992659dfd2915d9129e565
SSDEEP

384:5a1UqqyHfBXyhCTTTG/8VpPyJLZXHhamSPLZHI1t9lD4/PKANR2uiQHpkFMAIiLQ:NyMEvPE+1Z4ADNULNFr9eFqO+hn6px

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

sOB91tZbixBC7RKs

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/ay20NBKe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4080-1-0x0000000000AE0000-0x0000000000AF0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	WaveCrack_Setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	WaveCrack_Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
88	pastebin.com
102	pastebin.com
121	pastebin.com
125	pastebin.com
134	pastebin.com
17	pastebin.com
68	pastebin.com
83	pastebin.com
100	pastebin.com
118	pastebin.com
72	pastebin.com
73	pastebin.com
130	pastebin.com
133	pastebin.com
117	pastebin.com
128	pastebin.com
96	pastebin.com
104	pastebin.com
107	pastebin.com
119	pastebin.com
51	pastebin.com
76	pastebin.com
54	pastebin.com
84	pastebin.com
103	pastebin.com
112	pastebin.com
19	pastebin.com
52	pastebin.com
66	pastebin.com
97	pastebin.com
120	pastebin.com
131	pastebin.com
80	pastebin.com
87	pastebin.com
115	pastebin.com
116	pastebin.com
31	pastebin.com
94	pastebin.com
63	pastebin.com
75	pastebin.com
85	pastebin.com
126	pastebin.com
33	pastebin.com
59	pastebin.com
64	pastebin.com
78	pastebin.com
95	pastebin.com
99	pastebin.com
101	pastebin.com
124	pastebin.com
29	pastebin.com
50	pastebin.com
136	pastebin.com
92	pastebin.com
122	pastebin.com
32	pastebin.com
60	pastebin.com
47	pastebin.com
48	pastebin.com
61	pastebin.com
81	pastebin.com
106	pastebin.com
123	pastebin.com
22	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	WaveCrack_Setup.exe

C:\Users\Admin\AppData\Local\Temp\WaveCrack_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WaveCrack_Setup.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-1-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/4080-0-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/4080-6-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-7-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/4080-8-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download