xworm | 0d39e78dc7cecf5b5ed6fb2c4ddf99eeef42dc273f79fe7e1d2d2006cbfb89a5 | Triage

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 09:28

Sharing

Report Analysis Logs

General

Target

lavandaboostraper.exe
Size

32KB
MD5

f3514c1b0c98ddfd64e0bfe5a6c5d846
SHA1

67fc9cb0602ae37cdc702a7a05464ceb53619111
SHA256

0d39e78dc7cecf5b5ed6fb2c4ddf99eeef42dc273f79fe7e1d2d2006cbfb89a5
SHA512

a9bd304c77b28d34564bc99255b5097e7beae0d565ca2cc5bd66673d08a1c9267052448deea67f44ad44b102325cd6372da7ffe979980b59573ed7c934dfd2df
SSDEEP

768:RVa+vNtg+PB+3Tw49FzVFE9jROjhO7b4:ZvNtgw+3U49HFE9jROjs7k

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

so6yvToFNFYYSten

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3016-1-0x0000000000C70000-0x0000000000C7E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	lavandaboostraper.exe

C:\Users\Admin\AppData\Local\Temp\lavandaboostraper.exe
"C:\Users\Admin\AppData\Local\Temp\lavandaboostraper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-0-0x00007FFD9E2E3000-0x00007FFD9E2E5000-memory.dmp

Filesize
8KB

Download
memory/3016-1-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/3016-2-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-3-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download