xworm | 79eda4e78316ec7d5cbc8fd3f66a74ee8f999bae82ce08ae48d937b9c9714614

Analysis

max time kernel
121s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 22:29

Target

jhfkasdfhkjasdhfajkshfsahf.exe
Size

66KB
MD5

cf907ddedd3d0f6800e8e3bc704d7dc2
SHA1

e8cc5a7a80799a0688d09193650d1240d26d7c42
SHA256

79eda4e78316ec7d5cbc8fd3f66a74ee8f999bae82ce08ae48d937b9c9714614
SHA512

5e2f366733c0a9ec5b515b9948d339bfed54b7daec0acc544c7eb777457194abb4c7f3c4ee137a2a59d2817d7f9889a0d5b0b9d11d68da06a2ba3362654a9490
SSDEEP

1536:0rrkATgI8XkJpWR6QwGJbgZ4nCMzMLI6BeXfOzgw2:0HRTgXrRqobgZAzMjePOzf2

Score

10^/10

xworm rat trojan

Family

xworm

45.88.91.55:7813

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/540-1-0x00000000008A0000-0x00000000008B6000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	jhfkasdfhkjasdhfajkshfsahf.exe

C:\Users\Admin\AppData\Local\Temp\jhfkasdfhkjasdhfajkshfsahf.exe
"C:\Users\Admin\AppData\Local\Temp\jhfkasdfhkjasdhfajkshfsahf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

memory/540-0-0x00007FFAA9083000-0x00007FFAA9085000-memory.dmp

Filesize
8KB

Download
memory/540-1-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/540-2-0x00007FFAA9080000-0x00007FFAA9B41000-memory.dmp

Filesize
10.8MB

Download
memory/540-3-0x00007FFAA9080000-0x00007FFAA9B41000-memory.dmp

Filesize
10.8MB

Download