xworm | e0e8dc309849f9da9ff2aaf5394a267748b5a5c0009ace4d2873726c80ed0eec

Analysis

max time kernel
893s
max time network
443s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Algorithm_Converter_Arab-you (2).exe
Size

497KB
MD5

19ab3a28f430378150bb4a7afc2a5a5e
SHA1

24f62552fb20cb81fb2b3a1521f698b9b7f58848
SHA256

e0e8dc309849f9da9ff2aaf5394a267748b5a5c0009ace4d2873726c80ed0eec
SHA512

9781a3b465176fa88d7883bad64661672472bc77e42fc145d92524f86bf11eec57be11ab885de01539085cff292fb0051bc2bf59366b8437c0d788caf1d9d900
SSDEEP

12288:PGMnkN1TDTvX7ym4vw+8ixjvrWem7kC+8:nG1TDTvLVkrrTm

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

f5nPSEGIk3s9ZJvj

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001f00000002ae13-7.dat	family_xworm
behavioral1/memory/2664-29-0x0000000000D40000-0x0000000000D50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2664	sat.exe
1200	Algorithm_Converter_Arab-you.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	sat.exe
Token: 33	4028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4028	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5512 wrote to memory of 2664	5512	Algorithm_Converter_Arab-you (2).exe	79
PID 5512 wrote to memory of 2664	5512	Algorithm_Converter_Arab-you (2).exe	79
PID 5512 wrote to memory of 1200	5512	Algorithm_Converter_Arab-you (2).exe	80
PID 5512 wrote to memory of 1200	5512	Algorithm_Converter_Arab-you (2).exe	80

C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you (2).exe
"C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5512
- C:\Users\Admin\AppData\Local\Temp\sat.exe
  "C:\Users\Admin\AppData\Local\Temp\sat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
  "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
  2⤵
  - Executes dropped EXE
  PID:1200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe

Filesize
451KB

MD5
33522284723daa90db52009c4f7fcc4c

SHA1
4852b496baa645e48ddd2ab4cf7236a9d9c77639

SHA256
6cab09505aa9056de42fa60f8d294f5808ff77bf784792b6a5f270b096b662d6

SHA512
6544f7f08eaacc640137ba1a2ee114485d43ed4462d521712cee69fb9dad4eb83d85dda63506dc44989d7b35511fa4fed6e094bef51f21e3f1897d14de89a32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sat.exe

Filesize
38KB

MD5
e164da45cc32bca07988cacac801769e

SHA1
52a3c61a3d34463fc1af177432d7c479ecdbc516

SHA256
ca900befdbee89117db35225852504d18b34ce00fe0fc079cd6c295204f620f6

SHA512
308c8d12c3f504099f7bba2d0f2a9624a9318a353af8ec13a460ca50b64928a6f39384c80d195e3f431ea7da7b76e0610332f5629af853d61e708869bd23ecb7

Download Submit
memory/1200-31-0x0000000000DB0000-0x0000000000E26000-memory.dmp

Filesize
472KB

Download
memory/1200-33-0x0000000021840000-0x0000000021874000-memory.dmp

Filesize
208KB

Download
memory/1200-39-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/1200-38-0x0000000021BA0000-0x0000000021BBE000-memory.dmp

Filesize
120KB

Download
memory/1200-35-0x0000000021890000-0x00000000218D6000-memory.dmp

Filesize
280KB

Download
memory/1200-32-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/1200-37-0x0000000021B90000-0x0000000021B9D000-memory.dmp

Filesize
52KB

Download
memory/1200-36-0x0000000021A40000-0x0000000021A49000-memory.dmp

Filesize
36KB

Download
memory/2664-29-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/2664-34-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/2664-28-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/5512-4-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/5512-0-0x00007FF90FF03000-0x00007FF90FF05000-memory.dmp

Filesize
8KB

Download
memory/5512-30-0x00007FF90FF00000-0x00007FF9109C2000-memory.dmp

Filesize
10.8MB

Download
memory/5512-1-0x0000000000270000-0x00000000002F0000-memory.dmp

Filesize
512KB

Download