Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    127s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/03/2025, 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    40KB

  • MD5

    0334587017d74807b00251f1ab0183dd

  • SHA1

    cd9f7e14d8c26fcd8e069764114c067348d5d524

  • SHA256

    a1e95cccfb6877cfc5ba62ed4eaa1d7db156bc28ff8e333f23a32136ab0d2dd3

  • SHA512

    d20b6fcc0845510baeb129df06d2510d2c7d0a36d8c07241dfb8919fd63ffd0ae1ee2ae5338f6ca4d7a5720e06e33df92a0e5f2eebd12fad2ffc98868fdeae40

  • SSDEEP

    768:s61VuM53Kd5DbsObdC/21RXAFx9k2lbl6iOwhlLZIoE:JVuMgvDlpCdFx9DlB6iOwLNE

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

DJkJFbiBItvqYGuP

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/hqEh9cLB

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4000
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:2688
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4584
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:2284
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:760

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\672788e6-f575-45f0-a662-1d3fa3dbd11e.down_data
        Filesize

        555KB

        MD5

        5683c0028832cae4ef93ca39c8ac5029

        SHA1

        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

        SHA256

        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

        SHA512

        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        25KB

        MD5

        d146d48dc96a7666cc1849cba6d36ffd

        SHA1

        182db2b149befa42083fb6d02dec4601fd4c03f5

        SHA256

        9d22a292fee707e3eabbf39559889cb18e0244201b9729fcf036c74a354d8846

        SHA512

        acc72c6de3b9c3c1c27c6d4e70c6068a6b61c12efde557f04772667299f0d566bdad3721e34cb3a0c768172d17bad927ac89d9a211c7c3dca552573bf6380900

        Download Submit

      • memory/4000-0-0x00007FFC85B93000-0x00007FFC85B95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4000-1-0x0000000000BF0000-0x0000000000C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4000-2-0x00007FFC85B90000-0x00007FFC86652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4000-3-0x00007FFC85B90000-0x00007FFC86652000-memory.dmp

        Filesize

        10.8MB

        Download