Malware Analysis Report

2025-08-05 16:53

Sample ID 250127-sk2rdsvndr
Target Roblox_Executor_Beta.exe
SHA256 aa64358a472b702ab5aff39145479b07595f1d2a2e538fd13d448211f9bbb2e5
Tags
xworm discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa64358a472b702ab5aff39145479b07595f1d2a2e538fd13d448211f9bbb2e5

Threat Level: Known bad

The file Roblox_Executor_Beta.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery rat trojan

Detect Xworm Payload

Xworm

Xworm family

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win7-20240903-en

Max time kernel

124s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 modern-educators.gl.at.ply.gg udp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe

MD5 a60aaf03b5ec3e9b3893ae2f1a7f10e3
SHA1 fffdb19dcfe20db81d0d944d73266ea0eb4baf0c
SHA256 12299a9f7a3be287db04f822ab026dc94234a643118cac66d34ddbfa136736f6
SHA512 d2422d661ba7b27f17ce09653c3f839e72e1ac80a9a7e06ae5b5262d9c1e5f42346170722deb94436e48b72e4b2c0a7d4783406af4817a0f236757e34ac5dc87

memory/2712-15-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

memory/2712-16-0x0000000001240000-0x0000000001250000-memory.dmp

memory/2712-21-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

memory/2712-22-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

memory/2712-23-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 modern-educators.gl.at.ply.gg udp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe

MD5 a60aaf03b5ec3e9b3893ae2f1a7f10e3
SHA1 fffdb19dcfe20db81d0d944d73266ea0eb4baf0c
SHA256 12299a9f7a3be287db04f822ab026dc94234a643118cac66d34ddbfa136736f6
SHA512 d2422d661ba7b27f17ce09653c3f839e72e1ac80a9a7e06ae5b5262d9c1e5f42346170722deb94436e48b72e4b2c0a7d4783406af4817a0f236757e34ac5dc87

memory/916-12-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

memory/916-13-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/916-18-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

memory/916-19-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

memory/916-20-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp