xworm | d47c687fd7d461c74a209101551d93e134a6ced1b808820592ccc287a16fa4e6

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 05:16

Target

CryptTest.exe
Size

331KB
MD5

e513b9fd3c26ceeaca98140721c7ff88
SHA1

5001aa33730167c02688f30e754f2fb7645e8457
SHA256

d47c687fd7d461c74a209101551d93e134a6ced1b808820592ccc287a16fa4e6
SHA512

fb6a77da63984c2afbedac50e3f80c6e2a04c67576be26329c1e950df1d5de77aee2655ec295e22cffbd358d5d7ab6d939aa45e24dc38a3700ba63c92e3c03f3
SSDEEP

6144:XVi2zbXpN0+GIIIIIIIhIIIIIIIIIIIIIIIU:XVbNX

Score

10^/10

xworm rat trojan

Family

xworm

operates-rna.with.playit.plus:4377

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/224-1-0x00000000006B0000-0x000000000070A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	CryptTest.exe

C:\Users\Admin\AppData\Local\Temp\CryptTest.exe
"C:\Users\Admin\AppData\Local\Temp\CryptTest.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

memory/224-0-0x00007FFD10173000-0x00007FFD10175000-memory.dmp

Filesize
8KB

Download
memory/224-1-0x00000000006B0000-0x000000000070A000-memory.dmp

Filesize
360KB

Download
memory/224-2-0x00007FFD10170000-0x00007FFD10C32000-memory.dmp

Filesize
10.8MB

Download
memory/224-3-0x00007FFD10170000-0x00007FFD10C32000-memory.dmp

Filesize
10.8MB

Download