File name:

000.exe

Full analysis: https://app.any.run/tasks/f17d3745-eafb-491e-842e-ec4a75bd8f67
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 12, 2024, 13:43:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AE4957B9487D4BEF4561924CACFD87E1

SHA1:

7C4345BE2315779D07E5B2CAA5105F021AA71A98

SHA256:

2BCA82CD14951C2CE35707A176B1555956C8EF938187F4E7687DA194C818B492

SSDEEP:

1536:o4++2doROB5UuUZbZKkav70b2RK9b/O6vfwpUGCjO1RnpQNdb:oe2ORAkYQbv9bG6ApkjOnpyb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • 000.exe (PID: 5240)

    • Create files in the Startup directory

      • 000.exe (PID: 5240)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 000.exe (PID: 5240)

    • Found regular expressions for crypto-addresses (YARA)

      • 000.exe (PID: 5240)

    • Connects to unusual port

      • 000.exe (PID: 5240)

  • INFO

    • Reads the machine GUID from the registry

      • 000.exe (PID: 5240)

    • Reads the computer name

      • 000.exe (PID: 5240)

    • Checks supported languages

      • 000.exe (PID: 5240)

    • Creates files or folders in the user directory

      • 000.exe (PID: 5240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(5240) 000.exe
C2185.29.8.111:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexS3U7c3fjLEk12DuF
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:12 13:22:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 71680
InitializedDataSize: 101888
UninitializedDataSize: -
EntryPoint: 0x136be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: 000.exe
LegalCopyright:
OriginalFileName: 000.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 000.exe

Process information

PID
CMD
Path
Indicators
Parent process
5240"C:\Users\admin\AppData\Local\Temp\000.exe" C:\Users\admin\AppData\Local\Temp\000.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\000.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(5240) 000.exe
C2185.29.8.111:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexS3U7c3fjLEk12DuF
Total events
455
Read events
455
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5240000.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhosts.lnkbinary
MD5:9B87A6C1BD7144E4A902FF6DDF069C3F
SHA256:09A95BF3ADD61D18B60D50398F33D058A7107F1DAB4BDEF194A49B39A994541B
5240000.exeC:\Users\admin\AppData\Roaming\svhosts.exeexecutable
MD5:AE4957B9487D4BEF4561924CACFD87E1
SHA256:2BCA82CD14951C2CE35707A176B1555956C8EF938187F4E7687DA194C818B492
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
37
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2076
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6368
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6368
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7060
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
EDGECAST
US
whitelisted
6944
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2076
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2076
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
4360
SearchApp.exe
104.126.37.147:443
Akamai International B.V.
DE
unknown
4360
SearchApp.exe
92.123.104.24:443
th.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 40.126.31.71
whitelisted
th.bing.com
  • 92.123.104.24
  • 92.123.104.20
  • 92.123.104.30
  • 92.123.104.21
  • 92.123.104.27
  • 92.123.104.32
  • 92.123.104.26
  • 92.123.104.19
  • 92.123.104.31
whitelisted
go.microsoft.com
  • 23.213.170.81
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
000.exe