xworm | 8f5b86e72ab98c41c660aee0c529d430e82172ddaa4fb80821392a4eab729b9b

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload_extracted.exe
Size

1.2MB
MD5

a3e9edbeda9202428162ce51852d0e78
SHA1

7a75214465bad1050098d3f2feb5fd918fa4d13d
SHA256

8f5b86e72ab98c41c660aee0c529d430e82172ddaa4fb80821392a4eab729b9b
SHA512

d8a70a0833ddf0b190429f58f3fe5de9747a1ee88abfc5b05e7861c59d39d2ec1d8f204cb87573a65657de42d0b544f02ebe85de77fde380b11a6dec36288e14
SSDEEP

24576:teVrNptvf/9VgJi7TixdrkPzAlxJyfb+3edbG18TldOKFjSqweA4:EVp/Hsi7TG4rAlxJyi3abG1ClrGqnx

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

meowycatty.ddns.net:8843

Mutex

0E4VwJ2aWKHLu9kc

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4136-5-0x0000000005450000-0x000000000545E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payload_extracted.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	payload_extracted.exe

C:\Users\Admin\AppData\Local\Temp\payload_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\payload_extracted.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4136-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/4136-1-0x00000000004C0000-0x00000000005FA000-memory.dmp

Filesize
1.2MB

Download
memory/4136-2-0x0000000004DB0000-0x0000000004E08000-memory.dmp

Filesize
352KB

Download
memory/4136-3-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4136-4-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4136-5-0x0000000005450000-0x000000000545E000-memory.dmp

Filesize
56KB

Download
memory/4136-6-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/4136-7-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/4136-8-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4136-9-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download