File name:	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe
Full analysis:	https://app.any.run/tasks/4943f00e-ed5a-4204-9d10-dd4b7c0b7f58
Verdict:	Malicious activity
Threats:	DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	March 03, 2025, 02:24:36
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	delphi dbatloader loader remote xworm netreactor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:	6F1EAD21AA70A3E69CD5C69595FC7916
SHA1:	5FEACB3A236A1E2A981540ACA03FC6AB16D2AA76
SHA256:	36F19CCDFA20772EBEB1C2A89E0EDD174465F5AC697323B4AB05C2A46EC1A1A7
SSDEEP:	49152:B28B1RuRISXmT1sD/F2UoAIsw5/5w5/5w5/5w5/S/o/5/o/5/o/5/o/muUwhEycS:96AJbU8lWlWlWlKslslslsUwuycH8qg9

.scr	\|	Windows screen saver (43.2)
.dll	\|	Win32 Dynamic Link Library (generic) (21.7)
.exe	\|	Win32 Executable (generic) (14.8)
.exe	\|	Win16/32 Executable Delphi generic (6.8)
.exe	\|	Generic Win/DOS Executable (6.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	471040
InitializedDataSize:	1412608
UninitializedDataSize:	-
EntryPoint:	0x747c8
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(7848) ndpha.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

PID	Process	Filename		Type
8080	extrac32.exe	C:\Users\Public\Upha.pif		executable
		MD5:3FB5CF71F7E7EB49790CB0E663434D80	SHA256:41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9
8144	aken.pif	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jnxnat05.3qt.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7368	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe	C:\Windows \SysWOW64\svchost.pif		executable
		MD5:869640D0A3F838694AB4DFEA9E2F544D	SHA256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
8144	aken.pif	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ccke40zz.cti.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7368	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe	C:\Users\Public\YzwmoftkF.cmd		text
		MD5:616F542F94791979D27798E12FE9374B	SHA256:D3C9DDAA8DEBFA28BFDFF1DFC8C5BA4E11E39C7D9029EAD83C874FCFC8325DDB
7368	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe	C:\Users\Public\Libraries\Yzwmoftk99.cmd		text
		MD5:D202469089FA5EC9032F44408562F842	SHA256:9C330F29B95689D3AB2F7A461479CD87869464CC03E53B0D8FF5727BAA8DA979
7368	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe	C:\Users\Public\Libraries\NEO.cmd		text
		MD5:D9B276C49813262BA64F91B640235BA9	SHA256:67BB0E1739291769728FE9E8A77F6E8F5CF506CCF617D55A3349B0A7542D49A5
7368	36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe	C:\Windows \SysWOW64\NETUTILS.dll		executable
		MD5:1E2A3532537D01C1BE8597C87D8918C3	SHA256:FCBEA11F75B132FC4A6746F80F62DA0064C61092CFCD15CC12879BB95DA5048A
8044	extrac32.exe	C:\Users\Public\alpha.pif		executable
		MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5	SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
8104	extrac32.exe	C:\Users\Public\aken.pif		executable
		MD5:2E5A8590CF6848968FC23DE3FA1E25F1	SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4208	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4180	ktfomwzY.pif	23.94.126.41:8888	—	AS-COLOCROSSING	US	malicious
7280	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6572	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7.exe

6F1EAD21AA70A3E69CD5C69595FC7916

5FEACB3A236A1E2A981540ACA03FC6AB16D2AA76

36F19CCDFA20772EBEB1C2A89E0EDD174465F5AC697323B4AB05C2A46EC1A1A7

49152:B28B1RuRISXmT1sD/F2UoAIsw5/5w5/5w5/5w5/S/o/5/o/5/o/5/o/muUwhEycS:96AJbU8lWlWlWlKslslslsUwuycH8qg9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DBATLOADER has been detected (YARA)

Adds path to the Windows Defender exclusion list

Starts PowerShell from an unusual location

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Drops a file with a rarely used extension (PIF)

Executable content was dropped or overwritten

Likely accesses (executes) a file from the Public directory

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Rename legitimate system utilities

Starts application with an unusual extension

Starts a Microsoft application from unusual location

Starts itself from another location

Connects to unusual port

Checks Windows Trust Settings

Contacting a server suspected of hosting an CnC

INFO

Compiled with Borland Delphi (YARA)

Checks supported languages

Reads the computer name

Checks proxy server information

The sample compiled with english language support

Process checks computer location settings

Process checks Powershell version

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

.NET Reactor protector has been detected

Reads the software policy settings

Create files in a temporary directory

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules