xworm | 8c05c8481f5feb723a33dd64e37c63be6e4300f5f93b9db7c8eee5f8ed7a42a3

Analysis

max time kernel
127s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 09:50

Target

injector.exe
Size

277KB
MD5

5f3b05b7b6ec91a4122866385f1d4c48
SHA1

e86188c99f17e22c024c5b433c0143cd0f286967
SHA256

8c05c8481f5feb723a33dd64e37c63be6e4300f5f93b9db7c8eee5f8ed7a42a3
SHA512

0c22c2707dd57ba9a492217507bdad28a39066bb4fbeb4b725fc247ed63bc04f7872925d615c3916dd901b444dd09d70bfa14e28987f843da3ff882d87273e76
SSDEEP

3072:DcFOkMZTmiYbBLGJb+2or1+xOZWnOOSA6ypZ:DcyZTdYbBCJbRor1g6y

Score

10^/10

xworm rat trojan

Family

xworm

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4992-1-0x00000000007F0000-0x000000000083A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	injector.exe

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

memory/4992-0-0x00007FF809B83000-0x00007FF809B85000-memory.dmp

Filesize
8KB

Download
memory/4992-1-0x00000000007F0000-0x000000000083A000-memory.dmp

Filesize
296KB

Download
memory/4992-2-0x00007FF809B80000-0x00007FF80A641000-memory.dmp

Filesize
10.8MB

Download
memory/4992-3-0x00007FF809B80000-0x00007FF80A641000-memory.dmp

Filesize
10.8MB

Download