xworm | 06bef06fd48e2ceaac026d03cd94150a5cdcbc77f2ac32e3ae04eafcc9e246e5

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

91ab1360ac7ec1a9c4c14e6045eb670c
SHA1

2434e557c7b467f9bf05f96da5ef9c2d3ccc93ce
SHA256

06bef06fd48e2ceaac026d03cd94150a5cdcbc77f2ac32e3ae04eafcc9e246e5
SHA512

6bb4c0db78c386a3431608a1030ac976808704170f63571744ee887ed2b99b14c25a5eac4dd0715d375f27dcbe99d4eeb1459e726f8212249fbf2b3be13e2e5c
SSDEEP

384:wl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikul:E+CD93W03v42JiB70lVF49jWOjhJbO

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

AK8-20226.portmap.host:20226

Mutex

4rQGMjIp0t7sD2My

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2924-1-0x0000000001020000-0x000000000102E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2256	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	XClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2224	2924	XClient.exe	32
PID 2924 wrote to memory of 2224	2924	XClient.exe	32
PID 2924 wrote to memory of 2224	2924	XClient.exe	32
PID 2224 wrote to memory of 2256	2224	cmd.exe	34
PID 2224 wrote to memory of 2256	2224	cmd.exe	34
PID 2224 wrote to memory of 2256	2224	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat

Filesize
159B

MD5
26f876b18f2a1bf551b7b43129a942fa

SHA1
b08ba69ec4ff2bd06ba1dd3c10d63c118f971945

SHA256
3a3450000882dbafd213c6475c9dccfef66abaec10af41f9f8b07e6bde3ab4f8

SHA512
73fe66d91758e269e956feeda9f2be5936dbb9788b4ea30403f540d824e38be46e001163d46c11eb4669f07df68617a3fd4e27bc297065260b148582979d4021

Download Submit
memory/2924-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000001020000-0x000000000102E000-memory.dmp

Filesize
56KB

Download
memory/2924-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-3-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-5-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2924-6-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2924-15-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download