xworm | 213f8f74208577665d8eba6e082166a4f7c69bccf53439a78352262aff155856

Analysis

max time kernel
77s
max time network
73s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steamtools.exe
Size

16.5MB
MD5

97592018d4745ddb6f4881afbeaab229
SHA1

f72f7b9b3a17ca5df104196b13faa561f323d3c4
SHA256

213f8f74208577665d8eba6e082166a4f7c69bccf53439a78352262aff155856
SHA512

6f259dd64ecdf97dba0e0a581cc8b664e1fcc2d1c64e94b4654b83e6631264614f14f88857565f23e258e1fcb18590e0ac526e9b380fce88c65a0223b9fefd3d
SSDEEP

393216:wvQ37gGFSrT4XvbmLeLAOqNs2WxsDneQ4LUo7DGqCcKKn:wvkSrT4XvbyeLAO2LeQ54DzKC

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

192.3.141.148:2020

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000120d6-6.dat	family_xworm
behavioral1/memory/1892-7-0x0000000000F40000-0x0000000000F58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1892	svchost.exe
2288	Steamtools.exe

Loads dropped DLL 1 IoCs

pid	Process
1836	steamtools.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2288	Steamtools.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2288	Steamtools.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe
2288	Steamtools.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1892	1836	steamtools.exe	30
PID 1836 wrote to memory of 1892	1836	steamtools.exe	30
PID 1836 wrote to memory of 1892	1836	steamtools.exe	30
PID 1836 wrote to memory of 2288	1836	steamtools.exe	31
PID 1836 wrote to memory of 2288	1836	steamtools.exe	31
PID 1836 wrote to memory of 2288	1836	steamtools.exe	31

C:\Users\Admin\AppData\Local\Temp\steamtools.exe
"C:\Users\Admin\AppData\Local\Temp\steamtools.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Users\Admin\AppData\Roaming\Steamtools.exe
  "C:\Users\Admin\AppData\Roaming\Steamtools.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
73KB

MD5
1ccc85528e0b841dc8e62959c21a9332

SHA1
6918330496f49047808a22d46b5d5ed077f947ae

SHA256
f94b00acec752399dc0f8abe5ab4eea40b998fe4291f9de8c690806997c76c87

SHA512
c01a0990d463317fba18477e25d714f306b6b8e1a68d633d5ce46716175ccbd854788378d40e66c6924dc8b1cee02117d393394097c8dd720a1852d12c6b1417

Download Submit
\Users\Admin\AppData\Roaming\Steamtools.exe

Filesize
16.3MB

MD5
1a475aa5000d3958df447de17e0dc14b

SHA1
8a45a8a2b38a524633a99abc7994aa0ac46c03ce

SHA256
1208c4d240918ab0b4767bc6a5c0cbe83ee7f21408fb0c5ea68769ebea759b3e

SHA512
e86be352a5732d18db772f3fc80a70ebb223d68148057663ed18aab5c2221fe6d1cb48d4f4e22940419e9144aeacdc03ea05739352f86aed7ce967afd7e80911

Download Submit
memory/1836-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/1836-1-0x0000000000F10000-0x0000000001F8A000-memory.dmp

Filesize
16.5MB

Download
memory/1892-7-0x0000000000F40000-0x0000000000F58000-memory.dmp

Filesize
96KB

Download
memory/1892-10-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1892-17-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1892-18-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-16-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/2288-15-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/2288-20-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/2288-19-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download