xworm | f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2.exe
Size

54KB
MD5

75e0b2d9a78680bc055a20855da9069f
SHA1

170eb70afe8bbca594bc0b9efd2c6b3d04b8d81c
SHA256

f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2
SHA512

1d39877c09f8688d8fcdeb1e943ff19e0b1c5e478a4746a69538f95e8d15f2d6aefd968872441138f9a77ada1aff226a491a99546c749b842834c8227b52a8f3
SSDEEP

1536:ubmBsFyRChrDbeaRFw9ZmU6iOCDV+dS1EAd8IIR:uFoObeaRFw9ZtOCEgEA6IIR

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

192.168.100.30:4160

host-conviction.gl.at.ply.gg:4160

147.185.221.26:4160

mm-lucky.gl.at.ply.gg:4160

Mutex

9JBntLMS49RnJZLl

Attributes

Install_directory
%Temp%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3668-1-0x0000000000F40000-0x0000000000F54000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2.exe

C:\Users\Admin\AppData\Local\Temp\f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2.exe
"C:\Users\Admin\AppData\Local\Temp\f9cb43639809adf0d7bb547cfe3500f0ebdf09b435a587d1de41f40adb21c3d2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3668-0-0x00007FFBCBD93000-0x00007FFBCBD95000-memory.dmp

Filesize
8KB

Download
memory/3668-1-0x0000000000F40000-0x0000000000F54000-memory.dmp

Filesize
80KB

Download
memory/3668-2-0x00007FFBCBD90000-0x00007FFBCC851000-memory.dmp

Filesize
10.8MB

Download
memory/3668-3-0x00007FFBCBD90000-0x00007FFBCC851000-memory.dmp

Filesize
10.8MB

Download