Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    30KB

  • MD5

    67f1956e7b4cc0c51cb1d25dbfd83e56

  • SHA1

    639240a4e0361012f1fa892bbd81fdfef59a02cd

  • SHA256

    375291a84e0532bc0cdb00b48f33ab1044cb3af83e23e1bbb5dcb3bde5f76ab0

  • SHA512

    1f64c88f51bbc95fefcc524656f1d3ab4df42754a8160a14fae3ed81a78511952dabc8cb4a7a4c403405a591b3186886df8203ea2dd3d12749458517e504d400

  • SSDEEP

    384:I7wTA+5OfPgEBQqWvfcQLZe3s80hYACSqR/inw2uRugtFuBLTIOZw/WVnvn9IkVj:6rgECfLH8MYAoR/iw2uBFE9RAOqhibB

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

mikeykiller.ddns.net:1177

Mutex

R93qDdAxW1rwFEDX

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3868-0-0x00007FFCCAC53000-0x00007FFCCAC55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3868-1-0x00000000009B0000-0x00000000009BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3868-2-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3868-3-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

    Filesize

    10.8MB

    Download