Malware Analysis Report

2025-05-06 00:17

Sample ID 250418-leew4szse1
Target tmp_ojohbyy
SHA256 ce77b1bc3431139358e2a70fa5f731d1be127e77efe8b534df5ccde59083849d
Tags
latentbot xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce77b1bc3431139358e2a70fa5f731d1be127e77efe8b534df5ccde59083849d

Threat Level: Known bad

The file tmp_ojohbyy was found to be: Known bad.

Malicious Activity Summary

latentbot xworm rat trojan

Detect Xworm Payload

Latentbot family

Xworm

Xworm family

LatentBot

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 09:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 09:26

Reported

2025-04-18 09:29

Platform

win10v2004-20250410-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe

"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cryptoghost.zapto.org udp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
US 8.8.8.8:53 abolhb.com udp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 cryptoghost.zapto.org udp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp

Files

memory/1896-0-0x00007FFBA50F3000-0x00007FFBA50F5000-memory.dmp

memory/1896-1-0x0000022DD4BD0000-0x0000022DD4D36000-memory.dmp

memory/1896-2-0x0000022DEF2D0000-0x0000022DEF42C000-memory.dmp

memory/1896-3-0x00007FFBA50F0000-0x00007FFBA5BB1000-memory.dmp

memory/1896-4-0x0000022DD68D0000-0x0000022DD68E2000-memory.dmp

memory/1896-5-0x00007FFBA50F3000-0x00007FFBA50F5000-memory.dmp

memory/1896-6-0x00007FFBA50F0000-0x00007FFBA5BB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-18 09:26

Reported

2025-04-18 09:29

Platform

win11-20250410-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe

"C:\Users\Admin\AppData\Local\Temp\tmp_ojohbyy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
US 52.111.229.43:443 tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp

Files

memory/6100-1-0x000001A349C90000-0x000001A349DF6000-memory.dmp

memory/6100-0-0x00007FFB335B3000-0x00007FFB335B5000-memory.dmp

memory/6100-2-0x000001A3642F0000-0x000001A36444C000-memory.dmp

memory/6100-3-0x00007FFB335B0000-0x00007FFB34072000-memory.dmp

memory/6100-4-0x000001A34A2D0000-0x000001A34A2E2000-memory.dmp

memory/6100-5-0x00007FFB335B3000-0x00007FFB335B5000-memory.dmp

memory/6100-6-0x00007FFB335B0000-0x00007FFB34072000-memory.dmp