xworm | 8c05c8481f5feb723a33dd64e37c63be6e4300f5f93b9db7c8eee5f8ed7a42a3

Analysis

max time kernel
94s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/03/2025, 09:46

Target

injector.exe
Size

277KB
MD5

5f3b05b7b6ec91a4122866385f1d4c48
SHA1

e86188c99f17e22c024c5b433c0143cd0f286967
SHA256

8c05c8481f5feb723a33dd64e37c63be6e4300f5f93b9db7c8eee5f8ed7a42a3
SHA512

0c22c2707dd57ba9a492217507bdad28a39066bb4fbeb4b725fc247ed63bc04f7872925d615c3916dd901b444dd09d70bfa14e28987f843da3ff882d87273e76
SSDEEP

3072:DcFOkMZTmiYbBLGJb+2or1+xOZWnOOSA6ypZ:DcyZTdYbBCJbRor1g6y

Score

10^/10

xworm rat trojan

Family

xworm

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2248-1-0x0000000000D90000-0x0000000000DDA000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	injector.exe

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

memory/2248-0-0x00007FFBF05C3000-0x00007FFBF05C5000-memory.dmp

Filesize
8KB

Download
memory/2248-1-0x0000000000D90000-0x0000000000DDA000-memory.dmp

Filesize
296KB

Download
memory/2248-2-0x00007FFBF05C0000-0x00007FFBF1082000-memory.dmp

Filesize
10.8MB

Download
memory/2248-3-0x00007FFBF05C0000-0x00007FFBF1082000-memory.dmp

Filesize
10.8MB

Download