xworm | 2c6f791cd3f221fd2d9c6d5c5824797ef50ebf66afc75930580190a916fc4ef4

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 05:15

Target

VClient3.1.exe
Size

328KB
MD5

8942f565fe2749f34cb6fb63d59cf511
SHA1

c393cec14caf8f8b4fcf62f0ce1eded25a3af7fc
SHA256

2c6f791cd3f221fd2d9c6d5c5824797ef50ebf66afc75930580190a916fc4ef4
SHA512

9069dfd94eeb9216ecdb33766edeb964eab2e69776f7b89e7ac1c19da3f87ef53977470f76c69c05a258c33a91272682bdc8df12c630ae5d69c444d7d18040dd
SSDEEP

6144:6Wd/R2bnJgD+GIIIIIIIhIIIIIIIIIIIIIIIU:bdJmJgk

Score

10^/10

xworm rat trojan

Family

xworm

operates-rna.with.playit.plus:4377

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3228-1-0x0000000000A40000-0x0000000000A98000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	VClient3.1.exe

C:\Users\Admin\AppData\Local\Temp\VClient3.1.exe
"C:\Users\Admin\AppData\Local\Temp\VClient3.1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

memory/3228-0-0x00007FFA02233000-0x00007FFA02235000-memory.dmp

Filesize
8KB

Download
memory/3228-1-0x0000000000A40000-0x0000000000A98000-memory.dmp

Filesize
352KB

Download
memory/3228-2-0x00007FFA02230000-0x00007FFA02CF2000-memory.dmp

Filesize
10.8MB

Download
memory/3228-3-0x00007FFA02230000-0x00007FFA02CF2000-memory.dmp

Filesize
10.8MB

Download