xworm | 0d39e78dc7cecf5b5ed6fb2c4ddf99eeef42dc273f79fe7e1d2d2006cbfb89a5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 09:28

Target

lavandaboostraper.exe
Size

32KB
MD5

f3514c1b0c98ddfd64e0bfe5a6c5d846
SHA1

67fc9cb0602ae37cdc702a7a05464ceb53619111
SHA256

0d39e78dc7cecf5b5ed6fb2c4ddf99eeef42dc273f79fe7e1d2d2006cbfb89a5
SHA512

a9bd304c77b28d34564bc99255b5097e7beae0d565ca2cc5bd66673d08a1c9267052448deea67f44ad44b102325cd6372da7ffe979980b59573ed7c934dfd2df
SSDEEP

768:RVa+vNtg+PB+3Tw49FzVFE9jROjhO7b4:ZvNtgw+3U49HFE9jROjs7k

Score

10^/10

xworm rat trojan

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

so6yvToFNFYYSten

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2524-1-0x0000000000B60000-0x0000000000B6E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	lavandaboostraper.exe

C:\Users\Admin\AppData\Local\Temp\lavandaboostraper.exe
"C:\Users\Admin\AppData\Local\Temp\lavandaboostraper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

memory/2524-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2524-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-3-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2524-4-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download