File name:

S500RAT.exe

Full analysis: https://app.any.run/tasks/57e8aa11-6099-4d88-882a-2e3b8a54e3d6
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 17:23:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
remote
themida
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D6967D80ED4A22C8DFA436F0A8F9D6F4

SHA1:

A809829519B1D789E4D02AC104DAAF4047BB6380

SHA256:

1A9F1362704FB9AEDA9079E2815BFEB6ACD4A15CC5FDEF78D2AFEEF2FF6FDF3B

SSDEEP:

196608:mR8b7ofvFaHI8wiUykvUpcTbO8BV7cA5KV8NtEhfhQb:mm4fvFaIlvUpcXPBVgA5LNtEPQb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2256)
      • SVCHOST.EXE (PID: 3112)

    • XWORM has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • SVCHOST.EXE (PID: 3112)

    • XWORM has been detected (YARA)

      • SVCHOST.EXE (PID: 3112)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • S500RAT.exe (PID: 4540)

    • Reads security settings of Internet Explorer

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)

    • Reads the date of Windows installation

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)

    • The process creates files with name similar to system file names

      • S500RAT.exe (PID: 4540)

    • Executable content was dropped or overwritten

      • S500RAT.exe (PID: 4540)

    • Starts CMD.EXE for commands execution

      • S500RAT.EXE (PID: 6400)

    • Executing commands from a ".bat" file

      • S500RAT.EXE (PID: 6400)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2256)
      • SVCHOST.EXE (PID: 3112)

    • Connects to unusual port

      • SVCHOST.EXE (PID: 3112)

  • INFO

    • The process uses the downloaded file

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)

    • Reads the computer name

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)

    • Checks supported languages

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)
      • SVCHOST.EXE (PID: 3112)

    • Process checks computer location settings

      • S500RAT.exe (PID: 4540)
      • S500RAT.EXE (PID: 6400)

    • Create files in a temporary directory

      • S500RAT.EXE (PID: 6400)

    • Reads the machine GUID from the registry

      • SVCHOST.EXE (PID: 3112)

    • Themida protector has been detected

      • SVCHOST.EXE (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3112) SVCHOST.EXE
C2license-donna.at.ply.gg:55049
Keys
AES<123456789>
Options
Splitter<Xwormmm>
USB drop nameUSB.exe
Mutexa91H2xmbhI9aDmQI
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:07:03 09:05:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 31232
InitializedDataSize: 22268416
UninitializedDataSize: -
EntryPoint: 0x3248
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start s500rat.exe s500rat.exe no specs s500rat.exe #XWORM svchost.exe cmd.exe no specs conhost.exe no specs #XWORM svchost.exe taskhostw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2136"C:\Users\admin\Documents\S500RAT.EXE" C:\Users\admin\Documents\S500RAT.EXES500RAT.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\documents\s500rat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3112"C:\Users\admin\Documents\SVCHOST.EXE" C:\Users\admin\Documents\SVCHOST.EXE
S500RAT.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\shcore.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\a3d5ecf3027b12f6bd535bca01da6872\system.core.ni.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\wshom.ocx
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\scrrun.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\9d97973f9474507658475413b2a51e1e\system.configuration.ni.dll
XWorm
(PID) Process(3112) SVCHOST.EXE
C2license-donna.at.ply.gg:55049
Keys
AES<123456789>
Options
Splitter<Xwormmm>
USB drop nameUSB.exe
Mutexa91H2xmbhI9aDmQI
4392taskhostw.exeC:\Windows\System32\taskhostw.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Tasks
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
4540"C:\Users\admin\Desktop\S500RAT.exe" C:\Users\admin\Desktop\S500RAT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\s500rat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6400"C:\Users\admin\Documents\S500RAT.EXE" C:\Users\admin\Documents\S500RAT.EXE
S500RAT.exe
User:
admin
Integrity Level:
HIGH
Exit code:
5
Modules
Images
c:\users\admin\documents\s500rat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
6592"C:\WINDOWS\sysnative\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\BFDD.tmp\BFDE.tmp\BFDF.bat C:\Users\admin\Documents\S500RAT.EXE"C:\Windows\System32\cmd.exeS500RAT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
2 359
Read events
2 343
Write events
16
Delete events
0

Modification events

(PID) Process:(4540) S500RAT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4540) S500RAT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4540) S500RAT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4540) S500RAT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6400) S500RAT.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6400) S500RAT.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6400) S500RAT.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6400) S500RAT.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4540S500RAT.exeC:\Users\admin\Documents\SVCHOST.EXEexecutable
MD5:5EFC0485C8E0E22C1CC74071456BF145
SHA256:F726A4959A28DDE5553AF82CC008573B5D0D4E7CE5D92C2A98986CA1DF9CB09B
6400S500RAT.EXEC:\Users\admin\AppData\Local\Temp\BFDD.tmp\BFDE.tmp\BFDF.battext
MD5:FC4AF7384F0B6F274DD3E745F0ACEEAA
SHA256:F27A781BD4E8788990CEECAC17BA4B9642E15F0D311E17D62C70DB694C207A34
4540S500RAT.exeC:\Users\admin\Documents\S500RAT.EXEexecutable
MD5:5B52658C4517684971DE10A6B7A67C30
SHA256:3EC85206A8C5D584C2CF4AB575BDD5CF4B29ED3A896032A1ADC37F1C08507B31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
17
DNS requests
5
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
404
140.82.121.4:443
https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe
unknown
html
262 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
7128
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3708
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
shared
3112
SVCHOST.EXE
209.25.141.223:55049
license-donna.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
github.com
  • 140.82.121.4
shared
license-donna.at.ply.gg
  • 209.25.141.223
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2256
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3112
SVCHOST.EXE
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
3112
SVCHOST.EXE
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
23 ETPRO signatures available at the full report
Process
Message
S500RAT.exe
C:\Users\admin\Documents\S500RAT.EXE
S500RAT.exe
C:\Users\admin\Documents\SVCHOST.EXE
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
S500RAT.exe