xworm | 06bef06fd48e2ceaac026d03cd94150a5cdcbc77f2ac32e3ae04eafcc9e246e5

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

91ab1360ac7ec1a9c4c14e6045eb670c
SHA1

2434e557c7b467f9bf05f96da5ef9c2d3ccc93ce
SHA256

06bef06fd48e2ceaac026d03cd94150a5cdcbc77f2ac32e3ae04eafcc9e246e5
SHA512

6bb4c0db78c386a3431608a1030ac976808704170f63571744ee887ed2b99b14c25a5eac4dd0715d375f27dcbe99d4eeb1459e726f8212249fbf2b3be13e2e5c
SSDEEP

384:wl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikul:E+CD93W03v42JiB70lVF49jWOjhJbO

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

AK8-20226.portmap.host:20226

Mutex

4rQGMjIp0t7sD2My

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3728-1-0x00000000005B0000-0x00000000005BE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1584	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4332	3728	XClient.exe	106
PID 3728 wrote to memory of 4332	3728	XClient.exe	106
PID 4332 wrote to memory of 1584	4332	cmd.exe	108
PID 4332 wrote to memory of 1584	4332	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp69D7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp69D7.tmp.bat

Filesize
159B

MD5
8c00ade4e309f304978de6e9e99d25f8

SHA1
ee95be052174125d447ce8274bd16a9f5762f492

SHA256
dbec1e4e1a175469fd7000df6e15fb13d049db4e7ab294685cc1d7a2f6349ebc

SHA512
e13ed7b77cea360e182648f5376bd9ddba107f283788bf287f260127317bf5a7183c531892b808e54357bd03a6073a28e9abb80c91519ea3c10928e6e820aafb

Download Submit
memory/3728-0-0x00007FFA40EC3000-0x00007FFA40EC5000-memory.dmp

Filesize
8KB

Download
memory/3728-1-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/3728-2-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/3728-3-0x00007FFA40EC3000-0x00007FFA40EC5000-memory.dmp

Filesize
8KB

Download
memory/3728-4-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/3728-9-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download