xworm | 5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 00:33

Target

5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2.exe
Size

32KB
MD5

6861f2511e01bf8cc6a7c1602ecce463
SHA1

795b2047772c3525374c2f31285c537023684b75
SHA256

5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2
SHA512

35e764302bf2a285102fbc3bba8a6a6acf07286e550aeae8f984345e483ef51482e587e373e681e39a3ddaa8f2ac265e10ef82e2ce06b6009f046fa9af99df66
SSDEEP

768:pVa+vNtg+PB93Tw49FzVFE9jiHOjhcbR:BvNtgw93U49HFE9jcOjql

Score

10^/10

xworm rat trojan

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

ksJXgVv5zjnRbsOt

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1872-1-0x0000000000950000-0x000000000095E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2.exe

C:\Users\Admin\AppData\Local\Temp\5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2.exe
"C:\Users\Admin\AppData\Local\Temp\5f4f1ac42bdb24c2cf818a1e6f1b35c8163341b86f617b5e2f6c3a64f8a013b2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

memory/1872-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1872-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1872-3-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1872-4-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download