xworm | 1780e7a2ff810fcaeb2aa616efec011dc2af042d918f6ab4c2e26aea4bb91b17

Resubmissions

06/03/2025, 13:48

250306-q3313aztby 10

06/03/2025, 13:43

250306-qz9z7szqw8 10

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df.exe
Size

47KB
MD5

ead40c54358549d98d46410ac153ab2d
SHA1

30211c2325574f2fd8ec8ff465db956722c8e32e
SHA256

1780e7a2ff810fcaeb2aa616efec011dc2af042d918f6ab4c2e26aea4bb91b17
SHA512

54d546924662055ec1118d7e12be5cff6f8b856d1fa32864d88d77910b28788a8557144c7a6d83e5acb83490d845a68e8edc2d078a6a535480b756e8d7ed4a18
SSDEEP

768:Dxdajsmwa+PZCVMpUbw8lvTTybtvoLFemiC0ApjkrbTEyG9aLevxhJOfb+1Z:1d6smwa+PZSMpUbw8lbTybtvkFe9o1O

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/memory/3432-1-0x0000000000440000-0x0000000000452000-memory.dmp	family_xworm
behavioral3/memory/3432-3-0x00000000025B0000-0x00000000025C2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	df.exe

C:\Users\Admin\AppData\Local\Temp\df.exe
"C:\Users\Admin\AppData\Local\Temp\df.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control