xworm | 09f63545ff2c15f2c563443d2c2cd546ed4c6f4507e447faf892fecc08dc493d

Analysis

max time kernel
136s
max time network
138s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/03/2025, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nurik 1.12.2-1.16.5.rar
Size

9.7MB
MD5

2ad3c3144b5fa3dc25b8b19b8a718b98
SHA1

f00a57b95b8c33aef233193c0ca539ad2b2cebde
SHA256

09f63545ff2c15f2c563443d2c2cd546ed4c6f4507e447faf892fecc08dc493d
SHA512

eb23ba29bd6ef5a8d591757024d4d8456899d77662bc0a063d039059fe9ec208d0d00832f6f4af4d865215e928cf9ee18706311635ba8093cc996e509d4fd615
SSDEEP

196608:dufLYMePTVw+Qo3dnhQAiJBcH7Y3r7ufvnQwAWRjt0P7s9vMu70klu/X:duTr6p1hQD3cH23SnQwFRjtiWvMfrX

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Idlerkik-51025.portmap.host:51025

Mutex

rSFFOfqaVoKkdUae

Attributes

Install_directory
%AppData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0012000000027e3c-88.dat	family_xworm
behavioral1/memory/3208-91-0x0000000000560000-0x0000000000570000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
3208	CrackLauncher.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3268	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3268	7zFM.exe
Token: 35	3268	7zFM.exe
Token: SeSecurityPrivilege	3268	7zFM.exe
Token: SeDebugPrivilege	3208	CrackLauncher.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3268	7zFM.exe
3268	7zFM.exe
3268	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik 1.12.2-1.16.5.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3244

C:\Users\Admin\Desktop\Nursultan 1.12.2-1.16.5 Crack\CrackLauncher.exe
"C:\Users\Admin\Desktop\Nursultan 1.12.2-1.16.5 Crack\CrackLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nursultan 1.12.2-1.16.5 Crack\README.txt
1⤵
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Nursultan 1.12.2-1.16.5 Crack\CrackLauncher.exe

Filesize
42KB

MD5
4f7d0cb075b81a3923661409b47e8a31

SHA1
d3aa635fedd9adff2a821fa20e7f8b9fac838ed4

SHA256
4e3b031bcd6552a48501e629c37e53d58721cde1b494ee96f8ba9473be7ff6d6

SHA512
3e3fea0be7af651bb2b7eba42543112912808931a9f8f84e7ab8f424910b190c113a99bf4859d032bc0ae3478398b93ffe5d025b7dc1dffe37111ea6d3e7a66e

Download Submit
memory/3208-90-0x00007FFA61923000-0x00007FFA61925000-memory.dmp

Filesize
8KB

Download
memory/3208-91-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/3208-92-0x00007FFA61920000-0x00007FFA623E2000-memory.dmp

Filesize
10.8MB

Download
memory/3208-93-0x00007FFA61920000-0x00007FFA623E2000-memory.dmp

Filesize
10.8MB

Download