xworm | 7ad235452a11f0343fcf1def524d04800e591b13e40188cc1cf5be37e9628f36

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VuxaSpoofer.exe
Size

3.6MB
MD5

d4473f64014380bd2f087935d01e4cf4
SHA1

39d009e253008ed76a65c76bcd55010b016638c1
SHA256

7ad235452a11f0343fcf1def524d04800e591b13e40188cc1cf5be37e9628f36
SHA512

27865bf8b587ee2b5da590ff72a510702591e52c2d8e377cf90b44e2a602ae5a6f605231506cbd65b41fa7c28df332e08aeca3fbb6ee0aea9c33540179e3ed34
SSDEEP

98304:GLYNYcvh7hfw9An9todOS5J+ZkvtnpKLiFqI8wM/4v:GLw1hFfwMrQOS5fVnpKGFm/K

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

front-cad.gl.at.ply.gg:36514

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001000000001924f-11.dat	family_xworm
behavioral1/memory/2700-12-0x0000000000260000-0x000000000027C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2720	Paid.exe
2700	Connect.exe

Loads dropped DLL 1 IoCs

pid	Process
2676	VuxaSpoofer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	Connect.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2720	2676	VuxaSpoofer.exe	30
PID 2676 wrote to memory of 2720	2676	VuxaSpoofer.exe	30
PID 2676 wrote to memory of 2720	2676	VuxaSpoofer.exe	30
PID 2676 wrote to memory of 2700	2676	VuxaSpoofer.exe	31
PID 2676 wrote to memory of 2700	2676	VuxaSpoofer.exe	31
PID 2676 wrote to memory of 2700	2676	VuxaSpoofer.exe	31

C:\Users\Admin\AppData\Local\Temp\VuxaSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\VuxaSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Paid.exe
  "C:\Users\Admin\AppData\Roaming\Paid.exe"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Users\Admin\AppData\Roaming\Connect.exe
  "C:\Users\Admin\AppData\Roaming\Connect.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Connect.exe

Filesize
89KB

MD5
580f966bca64e1838138589efb274ec3

SHA1
d4c22ee1fe9a76fa0f51c1e4d885116b831b9a57

SHA256
dba6845453995506c8bfcb417c0fbf741d07bb0484927167d1510f0bb3862686

SHA512
0f06f9f31cd9c5140e8a39324cdced94f4da866ec0a7fa39c4f87808aa551460de173413afea7ffe45775100cb4d4cdea8080448bdf25f47a3a1bf309751c090

Download Submit
C:\Users\Admin\AppData\Roaming\Paid.exe

Filesize
3.5MB

MD5
849e6926ec1d2ad952623ff4905b869b

SHA1
4e567998c13dec2ef1f07b2cbf6d642bc1f2468b

SHA256
09e8cbc8a6f433619866af77be8ee91c36ebb49aedac1de6f153d47d71e4ff26

SHA512
adc24c827245e4b159c7b219d0eddbea6b70039ec83bdf4169bc94d0f4701c249c82a17e553e401d9f62e8dd73d72d5877d86544c1c34b27428a3e206d584fd2

Download Submit
memory/2676-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2676-1-0x0000000000150000-0x00000000004EA000-memory.dmp

Filesize
3.6MB

Download
memory/2700-12-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2700-13-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2700-14-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2700-15-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download