File name:	bypass.bat
Full analysis:	https://app.any.run/tasks/18f866db-1294-4e59-aaeb-9125c53906d6
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 07, 2025, 07:27:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github fody evasion stealer loader python telegram remote xworm pyinstaller
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, Unicode text, UTF-8 text, with very long lines (389), with CRLF line terminators
MD5:	BDC77140867FAEA84D1F3DCABBCF25DF
SHA1:	AF63E86BFBE258E9F2289C39589AA3D158CEDB56
SHA256:	621C958504B020D469F2759A6ACD5494552921515FF9B01FC73892FA6488D463
SSDEEP:	24:ywzR3Ja5TMtWy/gFR35MJ5TkztWkjGbuF6x9VMxCBfpTbRpTbkV:lzRANMtWTRpENkztWkUC6LKCBfpTbRp0


(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(7048) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:

PID	Process	Filename		Type
6328	powershell.exe	C:\Users\Public\bot2.exe		executable
		MD5:3BEA36D1287DE03C7EBA8A7EE348D35C	SHA256:9E11C2806CFC43666CF6FFDD3131B90A9E4ED555831B1BEB9DEA1AAFF0EA3E01
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_ARC4.pyd		executable
		MD5:BCD8CAAF9342AB891BB1D8DD45EF0098	SHA256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_aes.pyd		executable
		MD5:0AB25F99CDAACA6B11F2ECBE8223CAD5	SHA256:6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_cbc.pyd		executable
		MD5:40390F2113DC2A9D6CFAE7127F6BA329	SHA256:6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_cast.pyd		executable
		MD5:2E15AA6F97ED618A3236CFA920988142	SHA256:516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_pkcs1_decode.pyd		executable
		MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D	SHA256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_ecb.pyd		executable
		MD5:80BB1E0E06ACAF03A0B1D4EF30D14BE7	SHA256:5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_cfb.pyd		executable
		MD5:899895C0ED6830C4C9A3328CC7DF95B6	SHA256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_ctr.pyd		executable
		MD5:C4C525B081F8A0927091178F5F2EE103	SHA256:4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_des.pyd		executable
		MD5:F9E266F763175B8F6FD4154275F8E2F0	SHA256:14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	140.82.121.4:443	https://github.com/mailclone2500/stealer/raw/refs/heads/main/path.exe	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.3:443	https://github.com/minhdmkk6/bot1/raw/refs/heads/main/XClient.exe	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	—	142.250.184.228:443	https://www.google.com/async/ddljson?async=ntp:2	unknown	—	—	unknown
—	—	GET	—	142.250.186.163:443	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg	unknown	—	—	unknown
—	—	GET	—	142.250.186.163:443	https://www.gstatic.com/og/_/js/k=og.qtm.en_US.XA6cJfY6CcY.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTsZ_cj3WMWRDcM6h5dBKoKiPSrw3g	unknown	—	—	unknown
1448	XClient.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
6920	bot2.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=8195	unknown	—	—	whitelisted
—	—	POST	204	104.126.37.139:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6328	powershell.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted
3976	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6328	powershell.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6800	powershell.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted

Domain	IP	Reputation
google.com	142.250.186.46	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
github.com	140.82.121.4	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.111.133 185.199.110.133 185.199.109.133	whitelisted
clientservices.googleapis.com	142.250.185.67	whitelisted
accounts.google.com	142.250.102.84	whitelisted
www.google.com	216.58.206.68	whitelisted
ip-api.com	208.95.112.1	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

bypass.bat

BDC77140867FAEA84D1F3DCABBCF25DF

AF63E86BFBE258E9F2289C39589AA3D158CEDB56

621C958504B020D469F2759A6ACD5494552921515FF9B01FC73892FA6488D463

24:ywzR3Ja5TMtWy/gFR35MJ5TkztWkjGbuF6x9VMxCBfpTbRpTbkV:lzRANMtWTRpENkztWkUC6LKCBfpTbRp0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses TASKKILL.EXE to kill security tools

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

Create files in the Startup directory

XWORM has been detected (SURICATA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Downloads file from URI via Powershell

Likely accesses (executes) a file from the Public directory

The process drops C-runtime libraries

Starts process via Powershell

Executable content was dropped or overwritten

Process drops python dynamic module

Process drops legitimate windows executable

Application launched itself

Starts CMD.EXE for commands execution

Loads Python modules

Uses TASKKILL.EXE to kill process

Uses TASKKILL.EXE to kill Browsers

Manipulates environment variables

Checks for external IP

Potential Corporate Privacy Violation

Reads security settings of Internet Explorer

Reads the date of Windows installation

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process executes via Task Scheduler

INFO

Disables trace logs

Checks proxy server information

Detects Fody packer (YARA)

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Checks operating system version

Reads Environment values

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks computer location settings

Script raised an exception (POWERSHELL)

PyInstaller has been detected (YARA)

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules