xworm | 08c5a1f9165e483f11ff06dfca818249d3937ca4e4e561a553298068a3d03562

Analysis

max time kernel
434s
max time network
438s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 13:40

Target

WizClient.exe
Size

77KB
MD5

da01c629e0a42cc74a118b49ab2a888a
SHA1

8a12e6f871c0e838faab5345e0f973abfec63be0
SHA256

08c5a1f9165e483f11ff06dfca818249d3937ca4e4e561a553298068a3d03562
SHA512

ba8837d3743409fb98f9d01837c95a876a6cfe81461ef58312f2fff6352e6619879f5ddb08a161cad8770229d76198d3069180e2151f1b21539e8afc119167d1
SSDEEP

1536:+LcWOW32n9m/jdMRNoIbw0El/K1TBM61g/VaTOEmKrp4H:+w9Mhy9bw0TTOEmKGH

Score

10^/10

xworm rat trojan

Family

xworm

nice-july.gl.at.ply.gg:49433

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/436-1-0x00000000001E0000-0x00000000001FA000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	WizClient.exe

C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

memory/436-0-0x00007FFA2A973000-0x00007FFA2A975000-memory.dmp

Filesize
8KB

Download
memory/436-1-0x00000000001E0000-0x00000000001FA000-memory.dmp

Filesize
104KB

Download
memory/436-2-0x00007FFA2A970000-0x00007FFA2B431000-memory.dmp

Filesize
10.8MB

Download
memory/436-3-0x00007FFA2A970000-0x00007FFA2B431000-memory.dmp

Filesize
10.8MB

Download