xworm | 1803c1f48e626b2ec0e2620649d818ebf546bfe58dffddfbad224f20a8106ba0

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 04:20

Target

svchost.exe
Size

69KB
MD5

35de149d3c81727ea4cce81a09f08581
SHA1

dfa61238834b2f689822ece4f3b9f3c04f46cd0a
SHA256

1803c1f48e626b2ec0e2620649d818ebf546bfe58dffddfbad224f20a8106ba0
SHA512

dc7986c5849b6aa21ce27f0dac697f2a9d069fcd3652f1a50d1d50ab06985b6ea436458cc63dd16d7030be75db7e20c84e62bd05062b06a5ec18e2fca2b50152
SSDEEP

1536:VmWuQglZi3V87QEw59b0fKNEehQCOWdZT1:V/gloEQEy9b00+COqN1

Score

10^/10

xworm rat trojan

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1428-1-0x00000000006B0000-0x00000000006C8000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

memory/1428-0-0x00007FFD0C313000-0x00007FFD0C315000-memory.dmp

Filesize
8KB

Download
memory/1428-1-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/1428-2-0x000000001D6B0000-0x000000001D7B2000-memory.dmp

Filesize
1.0MB

Download