xworm | fc163ccd515e93133219915d85cea6f59abc9e78ad8e8cb0e9d0a50ea9937290

Analysis

max time kernel
129s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stigma (1).rar
Size

2.5MB
MD5

51da68bedfaa8ebf202ab82276734440
SHA1

defdfdc18854eb6da60c1d89ad1f3a7a8df07c0c
SHA256

fc163ccd515e93133219915d85cea6f59abc9e78ad8e8cb0e9d0a50ea9937290
SHA512

a4f188c705d8ad353121639e5b2d94336b19bcc3eec89494dcc0d4d3c38c01ccbbd14e554815b222b7818bb0223a1fe04ce706023aba08cad19efd7d5653f8fc
SSDEEP

49152:gm6iutSWQo9VHBtcJoacfn42UlIsY/ArR50qvqe4s3GnTFaejfmje7:gCutSmH7cJoacf4rlI/svqe4eGBae+a

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

all-te.gl.at.ply.gg:5211

Mutex

L2DNBg468eZWboE2

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023bec-4.dat	family_xworm
behavioral1/memory/648-13-0x00000000004F0000-0x0000000000500000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 8 IoCs

pid	Process
648	Stigma untimate.exe
4340	Stigma untimate.exe
3172	Stigma untimate.exe
1260	Stigma untimate.exe
2680	Stigma untimate.exe
2332	Stigma untimate.exe
3856	Stigma untimate.exe
1724	Stigma untimate.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com
76	ip-api.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4788	7zFM.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	4788	7zFM.exe
Token: 35	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	648	Stigma untimate.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	4340	Stigma untimate.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	3172	Stigma untimate.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	1260	Stigma untimate.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	2680	Stigma untimate.exe
Token: SeDebugPrivilege	2332	Stigma untimate.exe
Token: SeDebugPrivilege	3856	Stigma untimate.exe
Token: SeDebugPrivilege	1724	Stigma untimate.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 648	4788	7zFM.exe	98
PID 4788 wrote to memory of 648	4788	7zFM.exe	98
PID 4788 wrote to memory of 4340	4788	7zFM.exe	104
PID 4788 wrote to memory of 4340	4788	7zFM.exe	104
PID 4788 wrote to memory of 3172	4788	7zFM.exe	119
PID 4788 wrote to memory of 3172	4788	7zFM.exe	119
PID 4788 wrote to memory of 1260	4788	7zFM.exe	120
PID 4788 wrote to memory of 1260	4788	7zFM.exe	120

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Stigma (1).rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\7zO4B20BBF7\Stigma untimate.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B20BBF7\Stigma untimate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Users\Admin\AppData\Local\Temp\7zO4B2716A7\Stigma untimate.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B2716A7\Stigma untimate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\7zO4B279568\Stigma untimate.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B279568\Stigma untimate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\7zO4B291C68\Stigma untimate.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B291C68\Stigma untimate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3764

C:\Users\Admin\Downloads\New folder\Stigma untimate.exe
"C:\Users\Admin\Downloads\New folder\Stigma untimate.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\Downloads\New folder\Stigma untimate.exe
"C:\Users\Admin\Downloads\New folder\Stigma untimate.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\Downloads\New folder\Stigma untimate.exe
"C:\Users\Admin\Downloads\New folder\Stigma untimate.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\Downloads\Stigma untimate.exe
"C:\Users\Admin\Downloads\Stigma untimate.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\ForlornApi.dll

Filesize
9KB

MD5
36f064c7b94d3b48b6fba998306d149f

SHA1
68811fa59a0bf4874e41bce03aa414102080e1cd

SHA256
446ad384be07cee89a742fe096fb20505de531501b394c40894be628d1168e9e

SHA512
fc9c048b866c59adebdc12f858679454cf3222f3b7a13e276ee1beaeb5bf419b9299216fc4aca208f37df7cc0926f837fe4161eefbdae1ecc0ba4b5baea706d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\README.txt

Filesize
97B

MD5
151569e431c3d83b9352119c9a628ae6

SHA1
21bfec4ace8d56eba9f8861342a6d01f6b5df029

SHA256
0c749e3b98f758037d8fefb793fc960f9f52df4e28a24d35e0d2c6a30c883029

SHA512
2c68589eb69e3e8e122004d5f854043573f175e4e2e70545afd12d963aa7448f79d571a908254e7365df52aff3224f8db00b05c936882ff57702770fadb366ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\Stigma Ultimate.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\Stigma Ultimate.pdb

Filesize
53KB

MD5
56076632819d1c9ca3787306efb12558

SHA1
04d5fb7f1045321c7c74d6746f2e7e237d70b0b3

SHA256
27c7babc4bb649426c260bb68eafd931703e895b92a09e49c9663b599f2a39f9

SHA512
ca88622719a506c07ef615ec4beb87d00c133b2745fa1183ae7f6f3d57aa8c3bf7a7f1dfde70d79a5d7b6a196b26c219567d349b5bae0367ebf9abba894787ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\cver.txt

Filesize
5B

MD5
d233662f9c26d1a06118c93ef2fd1de9

SHA1
f7ca6a21d278eb5ce64611aadbdb77ef1511d3dd

SHA256
f22abd6773ab232869321ad4b1e47ac0c908febf4f3a2bd10c8066140f741261

SHA512
71b5a4ccb7dee75dc5df15cce8a3aa7f242da2b3b1b0137bc9e1d861971edf84b89757ed811a541e278a0ab11aa26a33958da2104d17b9aa83323a03fc58f439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\.tests\loadfile.txt

Filesize
1B

MD5
8fa14cdd754f91cc6554c9e71929cce7

SHA1
4a0a19218e082a343a1b17e5333409af9d98f0f5

SHA256
252f10c83610ebca1a059c0bae8255eba2f95be4d1d7bcfa89d7248a82d9f111

SHA512
711c22448e721e5491d8245b49425aa861f1fc4a15287f0735e203799b65cffec50b5abd0fddd91cd643aeb3b530d48f05e258e7e230a94ed5025c1387bb4e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\IY_FE.iy

Filesize
549B

MD5
869bb49dc721f8e837e6326d1f7e19fe

SHA1
44bdd911d8c5189c43e1cca37517ac5cbf3e595a

SHA256
4b6a3269be9b0b295234d661ca8f468b92a550c1fa4c1a70800207b269d32ab9

SHA512
232790915cd0fc4b62c6546d8c8cb8355e90b1d7940dd476b9fc725db5af22f9135cc842d0499b59a4707caf53bb9a012efc5cf7f2c8101dccb12c3c562fa3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\dex\deps_version.dat

Filesize
40B

MD5
56b13c04ce54fedf908e2a900f0df3f5

SHA1
9885e96eae1179b26f51006ec8f2267618948510

SHA256
d8ca742b4b24da556c9fd67a3dbdad1d3acaf00b6f3aa6f357123240866675ff

SHA512
a1481b786488509b8b865fb3cb65400f0b1578aba1423fa5cdf9479c90ec6f3023dfc6614bb44b5ceef84ba24d9bc6b68bae8bcabe7d57a64a9c3dea9b5fea2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\dex\rbx_api.dat

Filesize
3.9MB

MD5
c31c192974d091badb971fde16825795

SHA1
2d72dace0c277e6c94a361576dea524627b7278a

SHA256
02276f872886a6bc29e2e05a2e551a8c92c0e1745276520f4203d52a15679856

SHA512
2267bf393ca8da01a20497fbab8583b4839bc6b7f8cfdbc40707242b78f38c3ae1947e9e4fa8986099ceecdd58017569d0d4144824210a584a5972f4ed76688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\dex\rbx_rmd.dat

Filesize
349KB

MD5
c16812cc3360e5e85db9162b400d8fad

SHA1
3f98f19e3ae06a0a3acbc4c6acc39546d06bf80d

SHA256
358c61c96e64ad3b219908b7c74b56dc0e1e05c679118a785ad012ef407299a4

SHA512
4d97739fbb6c6c9de1e358470f6f22ca8bab520d80abdafc6aeb3d04af2ee8d45de6417689c92f32986db4cee45daef0eb0bf96257f5e98854abf5c3f1720d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B23BEA8\workspace\logo.png

Filesize
689B

MD5
e1ecfca750ab0ea65b5c2ec75416e5dc

SHA1
1f1d6b98d5dae3f94fc05370469a66cffc7332b5

SHA256
61ea690cfe53bf0ae298f33691c675659f554db4ad06d9e1de4af91ecc00af9e

SHA512
c527758441d64f400a4316efd56f676a798cc44e9e266d89fde1600c625c7abbd28939032ff70ed9509a39a984c27c9ec7418eadebbd7cb0c6f20fee5e181b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B20BBF7\Stigma untimate.exe

Filesize
40KB

MD5
e69f486238d478448a42593252cfd4e9

SHA1
0693c3b7317a6309a4aed3a934194858c55aa75c

SHA256
8f8a8c9216eaf917fccb2d7b7112f1a5b145e0eee48c5674c8dfaedd3bc63d27

SHA512
effe6ddd7fafdaa4b2a49205c74551c833bee10a1004ed16dc37693b82dd662ffbdcfe9dac0e8d825ba544f99ba4ee1d44c5053827792e4ca2bc88ce916e13ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
memory/648-15-0x00007FFE26A80000-0x00007FFE27541000-memory.dmp

Filesize
10.8MB

Download
memory/648-14-0x00007FFE26A80000-0x00007FFE27541000-memory.dmp

Filesize
10.8MB

Download
memory/648-13-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/648-12-0x00007FFE26A83000-0x00007FFE26A85000-memory.dmp

Filesize
8KB

Download