xworm | 5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b5b3a3044b6d582546b772fa8cee08.exe
Size

41KB
MD5

37b5b3a3044b6d582546b772fa8cee08
SHA1

976fe55af8260423d47d07859655eafb46aee11f
SHA256

45474924043bbf73569c9efb1273c22d37ce780eb8f53c5e8836e62c0b78abc5
SHA512

34e9cf859769d2f0f0c0a83bad045b5392ac120e942040a9d9827b5dc80b4f27e4bf328628e542b28c1c1d2a13e9d07f5caa2ddc2f9f199498e89e38dd567f64
SSDEEP

768:bHzZwCyfrD6QdI9Efsq2xFPw9b20h6sOuh5Pe1rpU:nC9vtdI2SFY9q0h6sOuz2rpU

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:51521

santifzm-51521.portmap.host:51521

Mutex

b72MvNSRMPJDN4rw

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1992-1-0x0000000001210000-0x0000000001220000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	37b5b3a3044b6d582546b772fa8cee08.exe

C:\Users\Admin\AppData\Local\Temp\37b5b3a3044b6d582546b772fa8cee08.exe
"C:\Users\Admin\AppData\Local\Temp\37b5b3a3044b6d582546b772fa8cee08.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/1992-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-3-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-4-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download