File name:	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta
Full analysis:	https://app.any.run/tasks/7857c383-72fd-4858-8750-18c66f345b46
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	March 31, 2025, 11:14:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit loader xworm remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	B5201201273C1580A4DF673C30BFBF4D
SHA1:	2E656011D4983EE00AF5ADEDD03C637DE045935B
SHA256:	58229092085D5EBF56B8E04A42636665737106A1C31798962B462310F464A3E8
SSDEEP:	24576:Op+/4UURxUruRrax70p5O9Qx+aAm0vYRO8t4wX:OE/XUraxm5O9QMal0QRO8t40

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:03:31 00:04:46+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.16
CodeSize:	734208
InitializedDataSize:	577536
UninitializedDataSize:	-
EntryPoint:	0x2549c
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode


(PID) Process:	(7464) 2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7464) 2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7464) 2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	C:\Users\admin\AppData\Local\Temp\tmp4687.tmp		executable
		MD5:5B6D504E295F3C95BA551F983E80ECA7	SHA256:7A72281B6C126A481F2BAC591525A0EA487BAE627C1B1B1986CF1A079FB537FA
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	C:\Users\admin\Desktop\windowsupdate.exe		executable
		MD5:5B6D504E295F3C95BA551F983E80ECA7	SHA256:7A72281B6C126A481F2BAC591525A0EA487BAE627C1B1B1986CF1A079FB537FA
7488	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ye3rg3ex.jlo.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7928	windowsupdate.exe	C:\Users\admin\AppData\Roaming\XClient.exe		executable
		MD5:5B6D504E295F3C95BA551F983E80ECA7	SHA256:7A72281B6C126A481F2BAC591525A0EA487BAE627C1B1B1986CF1A079FB537FA
7488	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:831123CE930380454B492439DA23DE87	SHA256:A76D6A340B012734112B6F1FE10CADC9BF875578E733B89DA8E3ADD04D13AEB2
7488	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vnxisxky.szz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\panel[1].exe		executable
		MD5:5B6D504E295F3C95BA551F983E80ECA7	SHA256:7A72281B6C126A481F2BAC591525A0EA487BAE627C1B1B1986CF1A079FB537FA
7928	windowsupdate.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk		binary
		MD5:6099B313C1B0426F8DCCA46E68BC0909	SHA256:0D101046D829F6C912145FB87AE736E0CFE9A884E0F1BC4D614C8C82E90334CB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	GET	200	103.153.64.233:80	http://tiendev.click/panel.exe	VN	executable	34.0 Kb	malicious
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2656	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	103.153.64.233:80	tiendev.click	Hanoi Technology and Equipment Joint Stock Company	VN	malicious
2104	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7928	windowsupdate.exe	222.252.52.129:8877	bot2025.zapto.org	VNPT Corp	VN	malicious
7188	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7308	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
tiendev.click	103.153.64.233	malicious
crl.microsoft.com	23.216.77.42 23.216.77.6 23.216.77.8 23.216.77.22 23.216.77.28	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
bot2025.zapto.org	222.252.52.129	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Misc activity	ET INFO AutoIt User Agent Executable Request
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
7928	windowsupdate.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7464	2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta.exe	Misc activity	ET HUNTING Possible EXE Download From Suspicious TLD
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
7928	windowsupdate.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

2025-03-31_b5201201273c1580a4df673c30bfbf4d_agent-tesla_black-basta

B5201201273C1580A4DF673C30BFBF4D

2E656011D4983EE00AF5ADEDD03C637DE045935B

58229092085D5EBF56B8E04A42636665737106A1C31798962B462310F464A3E8

24576:Op+/4UURxUruRrax70p5O9Qx+aAm0vYRO8t4wX:OE/XUraxm5O9QMal0QRO8t40

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes Windows Defender settings

Run PowerShell with an invisible window

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Uses REG/REGEDIT.EXE to modify registry

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Potential Corporate Privacy Violation

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Reads mouse settings

The sample compiled with english language support

Checks supported languages

Reads the computer name

Checks proxy server information

Create files in a temporary directory

Creates files or folders in the user directory

Process checks computer location settings

Reads the machine GUID from the registry

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the software policy settings

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections