File name:

XWorm v3.1 by FCP (2).rar

Full analysis: https://app.any.run/tasks/e6a80023-590b-48a5-8253-b53c537310ee
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 12, 2023, 00:02:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redline
telegram
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B99426B6F3FB994FB36BB24BAAECE9E8

SHA1:

422C00044FAECBB7D4E5C38BBC60D70D6051B7A0

SHA256:

2259F5BDC94D64393C95E738AD39ED1C90AEEDD741F0AF9297E61B724AB13ED6

SSDEEP:

98304:LZvu/LnLQGTLOgw11gE4AfnESays2sM91tw3cebb:LluznN1w1KE423X1XTeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Connects to the CnC server

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • REDLINE was detected

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Steals credentials from Web Browsers

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Actions looks like stealing of personal data

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

  • SUSPICIOUS

    • Searches for installed software

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Connects to unusual port

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Reads browser cookies

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

  • INFO

    • Manual execution by a user

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
      • wmpnscfg.exe (PID: 1360)

    • Reads the machine GUID from the registry

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
      • wmpnscfg.exe (PID: 1360)

    • Reads the computer name

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
      • wmpnscfg.exe (PID: 1360)

    • The process checks LSA protection

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
      • wmpnscfg.exe (PID: 1360)

    • Checks supported languages

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
      • wmpnscfg.exe (PID: 1360)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3140)

    • Reads product name

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)

    • Reads Environment values

      • XWorm v3.1 [Cracked by $FCP$].exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs #REDLINE xworm v3.1 [cracked by $fcp$].exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1360"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2228"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3060"C:\Users\admin\Desktop\XWorm v3.1 by FCP\XWorm v3.1 [Cracked by $FCP$].exe" C:\Users\admin\Desktop\XWorm v3.1 by FCP\XWorm v3.1 [Cracked by $FCP$].exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\xworm v3.1 by fcp\xworm v3.1 [cracked by $fcp$].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
3140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XWorm v3.1 by FCP (2).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
Total events
3 061
Read events
3 039
Write events
19
Delete events
3

Modification events

(PID) Process:(3140) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
5
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Background.pngimage
MD5:A466FC11F42A6DE40E050C9813947612
SHA256:5047DC90D705A1A50C325FC00B26D5290939C42D6AA727D09E8D21D0537CEC85
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\GeoIP.datbinary
MD5:8EF41798DF108CE9BD41382C9721B1C9
SHA256:BC07FF22D4EE0B6FAFCC12482ECF2981C172A672194C647CEDF9B4D215AD9740
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\FastColoredTextBox.dllexecutable
MD5:B746707265772B362C0BA18D8D630061
SHA256:3701B19CCDAC79B880B197756A972027E2AC609EBED36753BD989367EA4EF519
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (10).icoimage
MD5:AD1740CB3317527AA1ACAE6E7440311E
SHA256:7A97547954AAAD629B0563CC78BCA75E3339E8408B70DA2ED67FA73B4935D878
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (15).icoimage
MD5:E3143E8C70427A56DAC73A808CBA0C79
SHA256:B2F57A23ECC789C1BBF6037AC0825BF98BABC7BF0C5D438AF5E2767A27A79188
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (11).icoimage
MD5:1C2CEA154DEEDC5A39DAEC2F1DADF991
SHA256:3B64B79E4092251EBF090164CD2C4815390F34849BBD76FB51085B6A13301B6D
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (12).icoimage
MD5:4EA9AB789F5AE96766E3F64C8A4E2480
SHA256:84B48CA52DFCD7C74171CF291D2EF1247C3C7591A56B538083834D82857FEE50
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (13).icoimage
MD5:E6FEC4185B607E01A938FA405E0A6C6C
SHA256:2E2F17B7DD15007192E7CBBD0019355F8BE58068DC5042323123724B99AE4B44
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\Icons\icon (1).icoimage
MD5:4F409511E9F93F175CD18187379E94CB
SHA256:115F0DB669B624D0A7782A7CFAF6E7C17282D88DE3A287855DBD6FE0F8551A8F
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3140.17328\XWorm v3.1 by FCP\GMap.NET.WindowsForms.dllexecutable
MD5:32A8742009FFDFD68B46FE8FD4794386
SHA256:741E1A8F05863856A25D101BD35BF97CBA0B637F0C04ECB432C1D85A78EF1365
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
9

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
292
svchost.exe
239.255.255.250:1900
whitelisted
3060
XWorm v3.1 [Cracked by $FCP$].exe
176.124.220.193:27202
Cloud assets LLC
RU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3060
XWorm v3.1 [Cracked by $FCP$].exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
3060
XWorm v3.1 [Cracked by $FCP$].exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
3060
XWorm v3.1 [Cracked by $FCP$].exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
3060
XWorm v3.1 [Cracked by $FCP$].exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
3060
XWorm v3.1 [Cracked by $FCP$].exe
A Network Trojan was detected
ET MALWARE Redline Stealer Activity (Response)
3060
XWorm v3.1 [Cracked by $FCP$].exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
3060
XWorm v3.1 [Cracked by $FCP$].exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
3060
XWorm v3.1 [Cracked by $FCP$].exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
3060
XWorm v3.1 [Cracked by $FCP$].exe
Misc activity
SUSPICIOUS [ANY.RUN] Possibly Exfiltrating the application list
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XWorm v3.1 by FCP (2).rar