xworm | f2f027c21e90d41a12cfeacc16b07216a85eb17d3d4b39fdc51fe3143c8dde46

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MasonClient.exe
Size

47KB
MD5

2c8f88e34446781e1a4d201c173d420d
SHA1

c376cdd4aebccf20e85b799e9ceeeebafa77bc83
SHA256

f2f027c21e90d41a12cfeacc16b07216a85eb17d3d4b39fdc51fe3143c8dde46
SHA512

51662ad30d27268435be6fefa779932be47151b64476a1b8a48e74011140e555a377063c5d5ee3eb6a71f4e12979f3f37aef765122c8de9927cb7220fd1da7d7
SSDEEP

768:ln8y5X66Owo6hEfizVik25DTpvghbrivo2g7KPYxJ3AbiOmb00R9S34u3JceujU+:lnD66Owo6hEfizVik2BTpvghbrivFgmI

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4176-1-0x00000000002C0000-0x00000000002D2000-memory.dmp	family_xworm
behavioral2/memory/4176-3-0x0000000000AC0000-0x0000000000AD2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	MasonClient.exe

C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
"C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4176-0-0x00007FF9A9D23000-0x00007FF9A9D25000-memory.dmp

Filesize
8KB

Download
memory/4176-1-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/4176-2-0x00007FF9A9D20000-0x00007FF9AA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4176-3-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/4176-4-0x00007FF9A9D23000-0x00007FF9A9D25000-memory.dmp

Filesize
8KB

Download
memory/4176-5-0x00007FF9A9D20000-0x00007FF9AA7E1000-memory.dmp

Filesize
10.8MB

Download