xworm | c5d1a93c06cfd5547096cf37da77bede86b87ea453c941601c315b949f6f5b1c

Analysis

max time kernel
298s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Steam_Setup.exe
Size

321KB
MD5

847b0e2d9aec6a7a4429cb31e9718468
SHA1

6b8e865b06e214250fef0ef7190c51c386c3c681
SHA256

c5d1a93c06cfd5547096cf37da77bede86b87ea453c941601c315b949f6f5b1c
SHA512

aa456b7e3a9591ee3d91198bd6d4721335b9bf07b5adea9365dd8a598b99c9b3d085cb5f961e5bda4d4fe9cd6c66f42ba238f32d747d9b6ca3e412d80047f08d
SSDEEP

6144:7xsyVbxd+GIIIIIIIhIIIIIIIIIIIIIIIU:1sv

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/ay20NBKe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/844-1-0x0000000000D40000-0x0000000000D96000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Steam_Setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Steam_Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
22	pastebin.com
23	pastebin.com
28	pastebin.com
69	pastebin.com
72	pastebin.com
85	pastebin.com
88	pastebin.com
29	pastebin.com
35	pastebin.com
45	pastebin.com
47	pastebin.com
97	pastebin.com
58	pastebin.com
60	pastebin.com
71	pastebin.com
76	pastebin.com
2	pastebin.com
11	pastebin.com
24	pastebin.com
49	pastebin.com
87	pastebin.com
31	pastebin.com
34	pastebin.com
65	pastebin.com
74	pastebin.com
101	pastebin.com
6	pastebin.com
9	pastebin.com
27	pastebin.com
44	pastebin.com
79	pastebin.com
32	pastebin.com
55	pastebin.com
59	pastebin.com
62	pastebin.com
93	pastebin.com
7	pastebin.com
21	pastebin.com
80	pastebin.com
86	pastebin.com
83	pastebin.com
94	pastebin.com
102	pastebin.com
104	pastebin.com
38	pastebin.com
52	pastebin.com
78	pastebin.com
81	pastebin.com
68	pastebin.com
70	pastebin.com
90	pastebin.com
92	pastebin.com
25	pastebin.com
40	pastebin.com
57	pastebin.com
66	pastebin.com
82	pastebin.com
105	pastebin.com
10	pastebin.com
33	pastebin.com
42	pastebin.com
54	pastebin.com
50	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	Steam_Setup.exe

C:\Users\Admin\AppData\Local\Temp\Steam_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Steam_Setup.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-0-0x00007FFAA10A3000-0x00007FFAA10A5000-memory.dmp

Filesize
8KB

Download
memory/844-1-0x0000000000D40000-0x0000000000D96000-memory.dmp

Filesize
344KB

Download
memory/844-6-0x00007FFAA10A0000-0x00007FFAA1B62000-memory.dmp

Filesize
10.8MB

Download
memory/844-7-0x00007FFAA10A3000-0x00007FFAA10A5000-memory.dmp

Filesize
8KB

Download
memory/844-8-0x00007FFAA10A0000-0x00007FFAA1B62000-memory.dmp

Filesize
10.8MB

Download