File name:	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom
Full analysis:	https://app.any.run/tasks/93c8abd5-b7cb-4792-ace8-8833593c7fa6
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 05:19:45
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python evasion telegram auto-reg auto-startup remote xworm ims-api generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	FCC8EA917238E0FB507951C0483EB13E
SHA1:	585FB8AF1641697A7A5109CD2AE364E4F24668BA
SHA256:	3AD93B22CD7C6E91730C2409B8B8544660F8C8973F85E98161F9B0E71154F1AC
SSDEEP:	98304:CCYzB11IbSb4Y6ZhkDQet54nHZUKxUSVhP8sScm32mPAvNeeJLKTnlAplY9WnZtd:lTes881mw2/kiS3V

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:04:21 19:06:11+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	173568
InitializedDataSize:	197120
UninitializedDataSize:	-
EntryPoint:	0xce30
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7864) tmpe3yg6qfv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tmpe3yg6qfv_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\_hashlib.pyd		executable
		MD5:3E540EF568215561590DF215801B0F59	SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\_socket.pyd		executable
		MD5:566CB4D39B700C19DBD7175BD4F2B649	SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
7768	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\tmpe3yg6qfv.exe		executable
		MD5:F8B020B55525976C630539DFFC19001B	SHA256:2CB30BCF965005CE723E2F610EB3C787329D997F906C56A149A64323EEC7B53B
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\_decimal.pyd		executable
		MD5:21FCB8E3D4310346A5DC1A216E7E23CA	SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\_lzma.pyd		executable
		MD5:D63E2E743EA103626D33B3C1D882F419	SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\select.pyd		executable
		MD5:715A098175D3CA1C1DA2DC5756B31860	SHA256:A6FD5ECAA5129D9543888D0413272903BF53B3AE57008A1411EEE594FFC1199F
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\base_library.zip		compressed
		MD5:CC1225EF336426F21B782A02DD59870D	SHA256:AEA34116625751CFF0ED057D7C380E62F3E60996809DB3E03F04CEC3E5C4C095
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\python313.dll		executable
		MD5:7387FE038EA75EB9A57B054FCCFE37BF	SHA256:69FD86EA29370697C203F7E12830084F920F490766A8E3045AF52C036A9AD529
7864	tmpe3yg6qfv.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpe3yg6qfv.lnk		binary
		MD5:F61DA327B296E584D3F3E011BE0455C7	SHA256:0ADA7501CD1AD394824ED4EE9DCC24A0E44EEE527020CEB53899DDC1BE38B9B2
7660	2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom.exe	C:\Users\admin\AppData\Local\Temp\_MEI76602\unicodedata.pyd		executable
		MD5:503B3FFA6A5BF45AB34D6D74352F206B	SHA256:9BDC17238FFE19C39ECF849503EAF3DB282EA4BC91FEAD0EE2BBC7410624A75F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7864	tmpe3yg6qfv.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot6726687937:AAHqmFuXubtZVn7Ez3uh19szbfohPOmg28A/sendMessage?chat_id=5863862729&text=%E2%98%A0%20%5BXWorm%20V3.1%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3C54740F7CC0F23B53E5%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro	unknown	binary	429 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7864	tmpe3yg6qfv.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
7864	tmpe3yg6qfv.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7864	tmpe3yg6qfv.exe	92.119.178.3:52663	—	M247 Ltd	SG	unknown
7360	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ip-api.com	208.95.112.1	whitelisted
api.telegram.org	149.154.167.220	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7864	tmpe3yg6qfv.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
7864	tmpe3yg6qfv.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2196	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
7864	tmpe3yg6qfv.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7864	tmpe3yg6qfv.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
7864	tmpe3yg6qfv.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Initial Packet

General Info

2025-04-29_fcc8ea917238e0fb507951c0483eb13e_black-basta_cobalt-strike_satacom

FCC8EA917238E0FB507951C0483EB13E

585FB8AF1641697A7A5109CD2AE364E4F24668BA

3AD93B22CD7C6E91730C2409B8B8544660F8C8973F85E98161F9B0E71154F1AC

98304:CCYzB11IbSb4Y6ZhkDQet54nHZUKxUSVhP8sScm32mPAvNeeJLKTnlAplY9WnZtd:lTes881mw2/kiS3V

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

Create files in the Startup directory

SUSPICIOUS

Application launched itself

Process drops legitimate windows executable

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops python dynamic module

Loads Python modules

Starts CMD.EXE for commands execution

Checks for external IP

Reads the date of Windows installation

Reads security settings of Internet Explorer

Possible usage of Discord/Telegram API has been detected (YARA)

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process executes via Task Scheduler

Process communicates with Telegram (possibly using it as an attacker's C2 server)

The executable file from the user directory is run by the CMD process

INFO

Create files in a temporary directory

The sample compiled with english language support

Checks supported languages

Reads the computer name

Reads Environment values

Reads the machine GUID from the registry

Disables trace logs

Checks proxy server information

Creates files or folders in the user directory

Process checks computer location settings

Auto-launch of the file from Registry key

Manual execution by a user

Auto-launch of the file from Startup directory

Reads the software policy settings

Malware configuration

XWorm

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information