File name:	injection.exe
Full analysis:	https://app.any.run/tasks/554f53e6-da4a-4585-a814-6c49c43dc005
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	April 14, 2025, 11:26:40
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github remote xworm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	DC602D6018CC42440EE3AB120C0F7AD2
SHA1:	2E8E33C17FAA2288B44B33D91D576C8EEF9B12AF
SHA256:	17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A
SSDEEP:	6144:kPJe+446RSUFnR9RLub874yxPtMiEElEE:dYUFXRLub8QiEElEE

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:14 11:22:08+00:00
ImageFileCharacteristics:	Executable
PEType:	PE32
LinkerVersion:	8
CodeSize:	240128
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x3c7fa
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	injection.exe
LegalCopyright:
OriginalFileName:	injection.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7744) dasHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	dasHost
Value: C:\Users\admin\AppData\Roaming\dasHost.exe
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7744) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
7744	dasHost.exe	C:\Users\admin\AppData\Roaming\dasHost.exe		executable
		MD5:DC602D6018CC42440EE3AB120C0F7AD2	SHA256:17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A
7744	dasHost.exe	C:\Users\admin\AppData\Local\Temp\tmp1848.tmp.bat		text
		MD5:364634CD6A0799A94A668E1D1004A128	SHA256:0475D815F53D1028E9B18AC4CB02BA5C72941D653F9BE4FEB1EC72D58D84BDE0
7672	dasHost.exe	C:\Users\admin\AppData\Local\Temp\tmpB761.tmp.bat		text
		MD5:E46D320B2EA3FFF4520C68495E786893	SHA256:E346BA4E167EC9B4F0E94B4860FB27D59EAAAEC26816FD4348D8A9168140BF2C
6740	dasHost.exe	C:\Users\admin\AppData\Roaming\dasHost.exe		executable
		MD5:DC602D6018CC42440EE3AB120C0F7AD2	SHA256:17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A
6740	dasHost.exe	C:\Users\admin\AppData\Local\Temp\tmpEE64.tmp.bat		text
		MD5:EE439F0A84EDAAA39F60321554AE14C3	SHA256:AFA18E8AFF868EC36FB2A45EAC99B97B055AC639F904AE83C2CD3BDC9E8F1352
7676	injection.exe	C:\Users\admin\AppData\Local\Temp\dasHost.exe		executable
		MD5:DC602D6018CC42440EE3AB120C0F7AD2	SHA256:17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A
7672	dasHost.exe	C:\Users\admin\AppData\Roaming\dasHost.exe		executable
		MD5:DC602D6018CC42440EE3AB120C0F7AD2	SHA256:17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.164.16:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	40.69.42.241:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	GET	200	4.175.87.197:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.164.16:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7744	dasHost.exe	185.199.109.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
7744	dasHost.exe	193.161.193.99:38456	bestmeaw22-38456.portmap.io	OOO Bitree Networks	RU	malicious
7744	dasHost.exe	176.97.210.4:505	abolhb.com	Tube-Hosting	DE	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146 4.231.128.59	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.16 2.16.164.104 2.16.164.120 2.16.164.82 2.16.164.106 2.16.164.96 2.16.164.81 2.16.164.83 2.16.164.89 23.48.23.143 23.48.23.156	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
login.live.com	20.190.160.128 20.190.160.22 40.126.32.140 20.190.160.4 40.126.32.138 20.190.160.2 20.190.160.130 40.126.32.136	whitelisted
raw.githubusercontent.com	185.199.109.133 185.199.110.133 185.199.108.133 185.199.111.133	whitelisted
bestmeaw22-38456.portmap.io	193.161.193.99	malicious
abolhb.com	176.97.210.4	malicious
slscr.update.microsoft.com	4.245.163.56	whitelisted
www.microsoft.com	184.30.21.171	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
7744	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
7744	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
6740	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
6740	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
7672	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet
7672	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm Network Packet

General Info

injection.exe

DC602D6018CC42440EE3AB120C0F7AD2

2E8E33C17FAA2288B44B33D91D576C8EEF9B12AF

17CF5567C6F9581D4F3A819CB987AD1C7DD19390A17409D5BC874E015AB9740A

6144:kPJe+446RSUFnR9RLub874yxPtMiEElEE:dYUFXRLub8QiEElEE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

XWORM has been detected (SURICATA)

XWORM has been detected (YARA)

SUSPICIOUS

The process executes via Task Scheduler

Reads the date of Windows installation

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Connects to unusual port

There is functionality for taking screenshot (YARA)

Deletes scheduled task without confirmation

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Executing commands from a ".bat" file

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks computer location settings

Checks proxy server information

Disables trace logs

Reads the software policy settings

Reads Environment values

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests