xworm | 2d5050ca25920cb7a52aa4f77f1ed6a2ce4766d240eba793bac4b14af7d0681f

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 18:07

Target

XCliente.exe
Size

30KB
MD5

b332466e7ad8264e2845d31415725f42
SHA1

141d8093915d85fac1501d06a87ba901c39b8107
SHA256

2d5050ca25920cb7a52aa4f77f1ed6a2ce4766d240eba793bac4b14af7d0681f
SHA512

a60b7398ac9d92089994e9125e7259e9cca83bb05070a31a092d89122b76394905c1d07111b94756cf4fc91942296acb989498b1870b65d3fd29897e12d1a57a
SSDEEP

384:ueAwIGmeffcbWICWv/0ILZGPcj0hYACSqR/inw2uRugtFuBLTIOZw/WVnvn9IkVO:+ecbl/b3jMYAoR/iw2uBFE9RYOqhtb3

Score

10^/10

xworm rat trojan

Family

xworm

Version

3.1

192.168.1.114:1177

Mutex

roEOWd2CTFvG3l1K

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1432-1-0x0000000000710000-0x000000000071E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	XCliente.exe

C:\Users\Admin\AppData\Local\Temp\XCliente.exe
"C:\Users\Admin\AppData\Local\Temp\XCliente.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

memory/1432-0-0x00007FF909683000-0x00007FF909685000-memory.dmp

Filesize
8KB

Download
memory/1432-1-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/1432-2-0x00007FF909680000-0x00007FF90A141000-memory.dmp

Filesize
10.8MB

Download
memory/1432-3-0x00007FF909683000-0x00007FF909685000-memory.dmp

Filesize
8KB

Download
memory/1432-4-0x00007FF909680000-0x00007FF90A141000-memory.dmp

Filesize
10.8MB

Download