Analysis Overview
SHA256
ce77b1bc3431139358e2a70fa5f731d1be127e77efe8b534df5ccde59083849d
Threat Level: Known bad
The file tmp_ojohbyy was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Latentbot family
Xworm
Xworm family
LatentBot
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 09:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 09:26
Reported
2025-04-18 09:29
Platform
win10v2004-20250410-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe
"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | cryptoghost.zapto.org | udp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| US | 8.8.8.8:53 | abolhb.com | udp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | cryptoghost.zapto.org | udp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
Files
memory/1896-0-0x00007FFBA50F3000-0x00007FFBA50F5000-memory.dmp
memory/1896-1-0x0000022DD4BD0000-0x0000022DD4D36000-memory.dmp
memory/1896-2-0x0000022DEF2D0000-0x0000022DEF42C000-memory.dmp
memory/1896-3-0x00007FFBA50F0000-0x00007FFBA5BB1000-memory.dmp
memory/1896-4-0x0000022DD68D0000-0x0000022DD68E2000-memory.dmp
memory/1896-5-0x00007FFBA50F3000-0x00007FFBA50F5000-memory.dmp
memory/1896-6-0x00007FFBA50F0000-0x00007FFBA5BB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-18 09:26
Reported
2025-04-18 09:29
Platform
win11-20250410-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe
"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| US | 52.111.229.43:443 | tcp | |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
Files
memory/6100-1-0x000001A349C90000-0x000001A349DF6000-memory.dmp
memory/6100-0-0x00007FFB335B3000-0x00007FFB335B5000-memory.dmp
memory/6100-2-0x000001A3642F0000-0x000001A36444C000-memory.dmp
memory/6100-3-0x00007FFB335B0000-0x00007FFB34072000-memory.dmp
memory/6100-4-0x000001A34A2D0000-0x000001A34A2E2000-memory.dmp
memory/6100-5-0x00007FFB335B3000-0x00007FFB335B5000-memory.dmp
memory/6100-6-0x00007FFB335B0000-0x00007FFB34072000-memory.dmp