Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    67s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250218-en
  • resource tags

    arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/03/2025, 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    40KB

  • MD5

    a9b71af1f7c1c652499a79776813034f

  • SHA1

    14e285ee3ad086d7ada9f25cbf43d7fd5027e108

  • SHA256

    0c119a87804c641ff42db657c03b533ec435fdd9ece96b2ee8a66bf335a38f38

  • SHA512

    d62b6348e96140e827a639ec47a6864e5129b6a68160af2146ff42e8c1e1abae969b3da3fb0290c06ede0dede09af15592d1fa2e24606c5515b505a6bf8efda3

  • SSDEEP

    768:a3Ercwg23KQdQP8VifqPUj/CU3eYRFx9uA8Z6iOwhxL0pwS:aIcwg4q8Vifi4aOeEFx9h8Z6iOwTowS

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

pretty-beauty.gl.at.ply.gg:39094

Mutex

5pc5dXhlyDs2z32Y

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4552,i,12331736354284649584,1031380232325094842,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:14
    1⤵
      PID:2164

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5052-0-0x00007FFC669C3000-0x00007FFC669C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5052-1-0x0000000000620000-0x0000000000630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5052-2-0x00007FFC669C0000-0x00007FFC67482000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5052-3-0x00007FFC669C0000-0x00007FFC67482000-memory.dmp

      Filesize

      10.8MB

      Download