xworm | fc49309c85d3e0d4251f388411e3619dbbe8b3207f4c51b28ed258e63c38ac30

Analysis

max time kernel
80s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 17:37

Target

9V80M_XClient.exe
Size

82KB
MD5

d1204a713d2783ed15f21d05d36382b3
SHA1

3894a3e7357f1b1fca20f17834dc9ac3a448915b
SHA256

fc49309c85d3e0d4251f388411e3619dbbe8b3207f4c51b28ed258e63c38ac30
SHA512

d5fd18f6f2915e908555891dddf5e373244181ba45ee146f172c638df538551126a026d618779eeeb5785b8f6c40f2cc88446267a8145128b4d3de75c75709b6
SSDEEP

1536:/sGUFLw3NUPi9BbuRi2Hkjq/x6S1Opv7+bkw:/iJw3LBbuRxHk2F1Oh7+Yw

Score

10^/10

xworm rat trojan

Family

xworm

editor-monitoring.gl.at.ply.gg:35972

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4068-1-0x0000000000960000-0x000000000097A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	9V80M_XClient.exe

C:\Users\Admin\AppData\Local\Temp\9V80M_XClient.exe
"C:\Users\Admin\AppData\Local\Temp\9V80M_XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068

memory/4068-0-0x00007FFD9E2E3000-0x00007FFD9E2E5000-memory.dmp

Filesize
8KB

Download
memory/4068-1-0x0000000000960000-0x000000000097A000-memory.dmp

Filesize
104KB

Download
memory/4068-2-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-3-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download