xworm | 852d02731622dc6ff56a840167695810dbef423da5c77cb6bfb05aca6ee6c826

Analysis

max time kernel
839s
max time network
839s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 16:40

Target

XX.exe
Size

87KB
MD5

d5c6de191863e7210ad5c78d367ec500
SHA1

4f80e306a00a89e9ce72b085da9c347f2a9b6c7d
SHA256

852d02731622dc6ff56a840167695810dbef423da5c77cb6bfb05aca6ee6c826
SHA512

cd66a094ba9de5e6914eed35b6d3c7e9b568a8b20e352f418915f9461974becb2dd4a7ed542d89d9706ea8fb365bc3a065f751f52bfad22a585d56db8e221c3f
SSDEEP

1536:9CyhzmU2zzrAbG1wlIC9vLePbwMTHBfsrG26R320fsOJ35zCw4dKl:MIGfAlyK2bw4hfsrGFzUOJpz9fl

Score

10^/10

xworm rat trojan

Family

xworm

three-under.gl.at.ply.gg:34716

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2100-1-0x0000000000A00000-0x0000000000A1C000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	XX.exe

C:\Users\Admin\AppData\Local\Temp\XX.exe
"C:\Users\Admin\AppData\Local\Temp\XX.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

memory/2100-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000A00000-0x0000000000A1C000-memory.dmp

Filesize
112KB

Download
memory/2100-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-3-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download