xworm | 3528e3b0a01a175a885033eed18569a4cd34641373f5d42af5866d5d2d280f1c

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 22:58

Target

47294823947829478921143897148794298374.exe
Size

167KB
MD5

f86c5f136512f4e76e0737f8ccc302a3
SHA1

78000060bca357dbb9fbe29633c46fd4ea1cd9f5
SHA256

3528e3b0a01a175a885033eed18569a4cd34641373f5d42af5866d5d2d280f1c
SHA512

e371660eb576a50dfa9d619ccf0367511d3b5d4985c8577ce5160b146d1385a7bf2db5c58fe5e235f80bcbada8e517590b944b589fe811613169426374015f79
SSDEEP

3072:VuFG7Z9+FbSVx/BecODps2zBz65/M6If+3Js+3JFkKeTnQ:B7Z9ObSxpeJu2zxBt25

Score

10^/10

xworm rat trojan

Family

xworm

45.88.91.55:8893

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4928-1-0x0000000000560000-0x0000000000590000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	47294823947829478921143897148794298374.exe

C:\Users\Admin\AppData\Local\Temp\47294823947829478921143897148794298374.exe
"C:\Users\Admin\AppData\Local\Temp\47294823947829478921143897148794298374.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

memory/4928-0-0x00007FFB96F23000-0x00007FFB96F25000-memory.dmp

Filesize
8KB

Download
memory/4928-1-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/4928-2-0x00007FFB96F20000-0x00007FFB979E1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-3-0x00007FFB96F20000-0x00007FFB979E1000-memory.dmp

Filesize
10.8MB

Download