Overview

overview

10

Static

static

10

OCYMF_XClient.exe

windows7-x64

10

OCYMF_XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OCYMF_XClient.exe

  • Size

    197KB

  • MD5

    947531e390d56a33db1c5fac201f3d6e

  • SHA1

    6890af0bf097ca3dbf3a979251e8e9655a0d28c9

  • SHA256

    e98dc3272849a4feef91b79b5f4ceb5a5caeeb67c0ace7b951e719e4c56dc4b9

  • SHA512

    36c81a7b5ad59952e0e084df7601e14e2f4ac5530dd2937ab90f7f7693297f9776f6e970905f35cf058b76d5c3a465a112276d6426fe6527b8596504292df3e0

  • SSDEEP

    3072:Qd9KkHFE9jNOjn8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:QrE92UhcX7elbKTuq9bfF/H9d9n

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ohsorry-20836.portmap.host:20836

Mutex

p0RlYlnzEbgzdE3a

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OCYMF_XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\OCYMF_XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2836-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-1-0x00000000010A0000-0x00000000010D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2836-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2836-3-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-4-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

    Filesize

    9.9MB

    Download