xworm | 85f939d7f070e905a0ed179a84ac6cb2abd9d653043d73941e20f4e294550ebd

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-v1.1.5/Xeno.exe
Size

225KB
MD5

e03118ab68063079f8b8f97507ec10ab
SHA1

2652e546789203e17149f8b6effa638171c34d7a
SHA256

4528beec0d1a6a49312a3dc6fd24cf39583bca4646764461729a515764f0ab56
SHA512

2e35e51114c715da304c65b1581c6d56198b10103ac629b8f57467061c657e82429b42954a33629ccc6602f91ad8627feec25c2f491a0992627f2f8611240625
SSDEEP

6144:6R+gPJiKheiCNFxwPTdwkuwtAw7Du9ZUZU4ByGKCJh6:4PcKheiFT5fZcZ2U4ByGKCJh6

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:1161

25.ip.gl.ply.gg:1161

Attributes

Install_directory
%AppData%
install_file
schvost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral11/files/0x000b000000012029-5.dat	family_xworm
behavioral11/memory/1592-12-0x0000000000F60000-0x0000000000F78000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1592	mm.m..exe
2120	Xeno.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	Xeno.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	mm.m..exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1592	1972	Xeno.exe	30
PID 1972 wrote to memory of 1592	1972	Xeno.exe	30
PID 1972 wrote to memory of 1592	1972	Xeno.exe	30
PID 1972 wrote to memory of 2120	1972	Xeno.exe	31
PID 1972 wrote to memory of 2120	1972	Xeno.exe	31
PID 1972 wrote to memory of 2120	1972	Xeno.exe	31

C:\Users\Admin\AppData\Local\Temp\Xeno-v1.1.5\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno-v1.1.5\Xeno.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\mm.m..exe
  "C:\Users\Admin\AppData\Roaming\mm.m..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Users\Admin\AppData\Roaming\Xeno.exe
  "C:\Users\Admin\AppData\Roaming\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mm.m..exe

Filesize
68KB

MD5
4174804f837a3d69acda1c141efacb52

SHA1
b009535f3d77e4781c555a4a8ad2a5e245e92263

SHA256
b696fa6209b98dbd85567c76e4c02d81b4116653dd4a0396257cf679e740335c

SHA512
8c941b63f203fe11d0d9a3f0036a92b92a9e0a5b13ac69d177133e8801b5eed624f2d512f7d22b615704dc46553ed6f5cfe2a1fd5b80cadf256f9a9a7e75c1b4

Download Submit
\Users\Admin\AppData\Roaming\Xeno.exe

Filesize
140KB

MD5
70797e0760472325728ba786ca208976

SHA1
8912f23afbe8b78a9582f2a458b89a7fd697e638

SHA256
20744d38bc27d656a095e57bef62a44f5f6317de3672020e8a4a1e1057545764

SHA512
787f172cbc18eeb4f8e88420377459f37918edc9aec0105566f9e79555a962d6e89d7d0d6b791475282b2c5fb093c9e85544794639ad2771d9ca4a0e5b456477

Download Submit
memory/1592-12-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download
memory/1592-13-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-14-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-15-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000001280000-0x00000000012BE000-memory.dmp

Filesize
248KB

Download