Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-02-2025 16:41
General
-
Target
XwormRAT-6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1.exe
-
Size
325KB
-
MD5
7a52c4004cff0607cfb41514a8012304
-
SHA1
c2efe4e8378102db567520c9e6b8f8732ce078b7
-
SHA256
6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1
-
SHA512
d61e7a2272a9898b19b53bc5f94f72a8bcaf079d974eadc92d1b14d7ff00323245c7db33274e630ef9d8441be4ae18f378de5ddfe0bf0d9486eaf4d19c78feef
-
SSDEEP
6144:y9Nue9jnROyTeAlUueYEL7AK52Z5+GaavsQXrJw8oB2XiOG:yfOyTeEUuLEL7D52ZQGB0QXrdA2X
Malware Config
Extracted
xworm
flash-affordable.gl.at.ply.gg:64820
-
Install_directory
%Temp%
-
install_file
SecurityHost.exe
-
telegram
https://api.telegram.org/bot7873282441:AAFVeYQ8VZCC3gF8qlaTYIz4N-gMEL21mHI/sendMessage?chat_id=7952080340
Extracted
umbral
https://discord.com/api/webhooks/1338955298215432203/bKCNv20MfC-uRLQ9U8b8R2MvcekWeTVte6JKtVnAGQhc4l2UJ1KxbIFnU9Q5hZfnLYXh
Signatures
-
Detect Umbral payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XwormRAT-6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1.exe"C:\Users\Admin\AppData\Local\Temp\XwormRAT-6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1.16.5.exe"C:\Users\Admin\AppData\Roaming\1.16.5.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\SystemHost.exe"C:\Users\Admin\AppData\Roaming\SystemHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5de41de455bae5508ee71e7f819191ec9
SHA1a892ea505794b1d466ef9a90a3482def3acaacff
SHA2560e0e4fcd0f1183c9d9367f2617d43685bc42f47d0ec6730d32352b0c83376a90
SHA512641d1d55311393d33e53e655be4d3e5841cf4e5bd65046acd504e8fa98b0fc1d623339f2e59b6e6524df9dba7bbe3c606e45096edb42ab93fbd7264168e9cf34
-
Filesize
227KB
MD5e07b0bddb4e6c86e0e565ec1623d35c4
SHA111bc4bb5b2af5633a50c2bfb6b1b9b23b7f27fc7
SHA25635c09de560097ccb637a089452552fcd8313dcb4a75e9a85c60501b35e477f9f
SHA5123af156d2b01cd43f01843ae3335ad0603a5d86196f04bc2b49467060b4a761f10ec11222dbdb3bb5e1387921e0113b10e629e35945bf6f192fc6140e5b3a036e
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
256KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
9.9MB