xworm | 6e8e22b394265e77f0b14e9d155642fd2414d20c24764ec7d6b289f35bcc2d30

Analysis

max time kernel
80s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 05:15

Target

newr6cheat.exe
Size

73KB
MD5

a4f24ec80578298dc7bb7f88e222bbb4
SHA1

87579941154a573939f33f53ff746131b47a33d6
SHA256

6e8e22b394265e77f0b14e9d155642fd2414d20c24764ec7d6b289f35bcc2d30
SHA512

2cb3e0897105a2df750333f78f999e71aab33f07a857602eb99ef833f3a354287e6717d781d6ffd386ebe5c4b97f335cdf0bf704ac6a47a08ac244f8be072fc5
SSDEEP

1536:okkYku6jLeN1jxqtdbqwqDwvc6Xk+yOy0hjmg4T:vkdK0tdbqiv9iOrdmjT

Score

10^/10

xworm rat trojan

Family

xworm

127.0.0.1:35845

white-yukon.gl.at.ply.gg:35845

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4164-1-0x0000000000680000-0x0000000000698000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	newr6cheat.exe

C:\Users\Admin\AppData\Local\Temp\newr6cheat.exe
"C:\Users\Admin\AppData\Local\Temp\newr6cheat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

memory/4164-0-0x00007FFD9E2E3000-0x00007FFD9E2E5000-memory.dmp

Filesize
8KB

Download
memory/4164-1-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download
memory/4164-2-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4164-3-0x000000001B890000-0x000000001B992000-memory.dmp

Filesize
1.0MB

Download
memory/4164-4-0x00007FFD9E2E0000-0x00007FFD9EDA1000-memory.dmp

Filesize
10.8MB

Download