xworm | e2a6cfcbdf54e388e2e4cf7bb7819bd8cf9afcad0be756d3d9b51045b0912ddb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 00:29

Target

config.exe
Size

83KB
MD5

676d43ca821b871113829fe4f4aef2d3
SHA1

1a3f4fedd5a621707778be0a01eb6ceea1d353e4
SHA256

e2a6cfcbdf54e388e2e4cf7bb7819bd8cf9afcad0be756d3d9b51045b0912ddb
SHA512

ad6a914de317ff963aa6f731baceda573b1386c06f0d178f792263e28e71f8af51702dae9e28d0e7ef22d4e4e40a0d0bd52aef8d7a17f9d40ce03d96380f64bb
SSDEEP

1536:xzKkCZ8ryPVw52HDRFJzUQgNVWLbKpLlrwFGGA6l5hOPiVqNfkglUKdar:xzKk5IpPqQbKfPkhO8qNfkQUDr

Score

10^/10

xworm rat trojan

Family

xworm

Attributes

Install_directory
%Temp%
install_file
safemode.exe
pastebin_url
https://pastebin.com/raw/HNgp7VTj
telegram
https://api.telegram.org/bot7566882471:AAEsmeKHRV49kbZ72snynbsQH5x-Bnw1zK4/sendMessage?chat_id=1850507924

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1748-1-0x0000000000CD0000-0x0000000000CEC000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	config.exe

C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

memory/1748-0-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

Filesize
4KB

Download
memory/1748-1-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

Filesize
112KB

Download
memory/1748-2-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-3-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

Filesize
9.9MB

Download