xworm | 50cbd7b401dd981c6f20e7b1ad08e8ab83f79dffe6e86e0e3ea070b985341950

Analysis

max time kernel
80s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 20:50

Target

RedWareTempV4.exe
Size

64KB
MD5

f573c1654f1cbac33b51e77fc6393dc3
SHA1

de9ef44fa5564c273bc1d4bf514b32b50aee55cb
SHA256

50cbd7b401dd981c6f20e7b1ad08e8ab83f79dffe6e86e0e3ea070b985341950
SHA512

c2319c4a54b83ac517e64ce06968c8ed89dc78eb7555a593e071d677c5cd0c9136b540358784a1e4c12f26a1b8b03c00aad4f3498a0a787c19bcb0c89cddc1d5
SSDEEP

1536:s714UydDNJkbUn2boU13xeR6rrsN3OMDgCTz2:6mLgboCxy3OMDX2

Score

10^/10

xworm rat trojan

Family

xworm

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1428-1-0x0000000000540000-0x0000000000556000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	RedWareTempV4.exe

C:\Users\Admin\AppData\Local\Temp\RedWareTempV4.exe
"C:\Users\Admin\AppData\Local\Temp\RedWareTempV4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

memory/1428-0-0x00007FFB81A23000-0x00007FFB81A25000-memory.dmp

Filesize
8KB

Download
memory/1428-1-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/1428-2-0x00007FFB81A20000-0x00007FFB824E1000-memory.dmp

Filesize
10.8MB

Download
memory/1428-3-0x00007FFB81A20000-0x00007FFB824E1000-memory.dmp

Filesize
10.8MB

Download