| File name: | XWorm V5.4.exe |
| Full analysis: | https://app.any.run/tasks/feeba6f3-2922-4642-9c2c-280439338f21 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | February 21, 2024, 16:46:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 065A8D7FAD2AD13B9F04DE982294EB21 |
| SHA1: | 7ECF3A3B1A0FA25F701787D98BD42C6F39C2F8CE |
| SHA256: | 3B2F28E621AF3EA54ABF28071E2F36143A30AA87A091F0EE3764C15B2DEA4303 |
| SSDEEP: | 98304:XYm6PIoxS1D6lAcjKCTJZUhyJtdgQPLyFHxKfTjEqg5eI/7BHpPZApoKMYra4YQC:O2U/VLWlliaXiIb/ah2mdcv |
MALICIOUS
Drops the executable file immediately after the start
- XWorm V5.4.exe (PID: 4052)
XWORM has been detected (YARA)
- XWorm V5.4.exe (PID: 4052)
SUSPICIOUS
Executable content was dropped or overwritten
- XWorm V5.4.exe (PID: 4052)
INFO
Checks supported languages
- XWorm V5.4.exe (PID: 4052)
Reads the machine GUID from the registry
- XWorm V5.4.exe (PID: 4052)
Reads the computer name
- XWorm V5.4.exe (PID: 4052)
Create files in a temporary directory
- XWorm V5.4.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:02:14 19:45:12+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 80 |
| CodeSize: | 14380544 |
| InitializedDataSize: | 140800 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xdb8bfe |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.4.0.0 |
| ProductVersionNumber: | 5.4.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | XCoder |
| CompanyName: | - |
| FileDescription: | XWorm |
| FileVersion: | 5.4.0.0 |
| InternalName: | XWorm.exe |
| LegalCopyright: | Copyright © 2024 |
| LegalTrademarks: | - |
| OriginalFileName: | XWorm.exe |
| ProductName: | XWorm |
| ProductVersion: | 5.4.0.0 |
| AssemblyVersion: | 5.4.0.0 |
Total processes
38
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4052 | "C:\Users\admin\AppData\Local\Temp\XWorm V5.4.exe" | C:\Users\admin\AppData\Local\Temp\XWorm V5.4.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: XWorm Exit code: 3762504530 Version: 5.4.0.0 Modules
| |||||||||||||||
Total events
148
Read events
148
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4052 | XWorm V5.4.exe | C:\Users\admin\AppData\Local\Temp\QrqYP\QrqYP.dll | executable | |
MD5:0B0E63957367E620B8697C5341AF35B9 | SHA256:BD9CDCFAA0EDECDB89A204965D20F4A896C6650D4840E28736D9BD832390E1C5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3892 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
watson.microsoft.com |
| whitelisted |