File name:	bypass.bat
Full analysis:	https://app.any.run/tasks/18f866db-1294-4e59-aaeb-9125c53906d6
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 07, 2025, 07:27:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github fody evasion stealer loader python telegram remote xworm pyinstaller
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, Unicode text, UTF-8 text, with very long lines (389), with CRLF line terminators
MD5:	BDC77140867FAEA84D1F3DCABBCF25DF
SHA1:	AF63E86BFBE258E9F2289C39589AA3D158CEDB56
SHA256:	621C958504B020D469F2759A6ACD5494552921515FF9B01FC73892FA6488D463
SSDEEP:	24:ywzR3Ja5TMtWy/gFR35MJ5TkztWkjGbuF6x9VMxCBfpTbRpTbkV:lzRANMtWTRpENkztWkUC6LKCBfpTbRp0


(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7048) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(7048) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(1448) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:

PID	Process	Filename		Type
6328	powershell.exe	C:\Users\Public\bot2.exe		executable
		MD5:3BEA36D1287DE03C7EBA8A7EE348D35C	SHA256:9E11C2806CFC43666CF6FFDD3131B90A9E4ED555831B1BEB9DEA1AAFF0EA3E01
6328	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_npqblixm.muj.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_pkcs1_decode.pyd		executable
		MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D	SHA256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_ARC4.pyd		executable
		MD5:BCD8CAAF9342AB891BB1D8DD45EF0098	SHA256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_cast.pyd		executable
		MD5:2E15AA6F97ED618A3236CFA920988142	SHA256:516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_chacha20.pyd		executable
		MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1	SHA256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_aesni.pyd		executable
		MD5:B6EA675C3A35CD6400A7ECF2FB9530D1	SHA256:76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_arc2.pyd		executable
		MD5:F14E1AA2590D621BE8C10321B2C43132	SHA256:FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
6732	bot2.exe	C:\Users\admin\AppData\Local\Temp\_MEI67322\Crypto\Cipher\_raw_blowfish.pyd		executable
		MD5:B127CAE435AEB8A2A37D2A1BC1C27282	SHA256:538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
6328	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fslbrdku.jyc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.4:443	https://github.com/mailclone2500/stealer/raw/refs/heads/main/path.exe	unknown	—	—	—
—	—	GET	302	140.82.121.3:443	https://github.com/minhdmkk6/bot1/raw/refs/heads/main/XClient.exe	unknown	—	—	—
1448	XClient.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
—	—	GET	—	142.250.186.163:443	https://www.gstatic.com/og/_/js/k=og.qtm.en_US.XA6cJfY6CcY.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTsZ_cj3WMWRDcM6h5dBKoKiPSrw3g	unknown	—	—	—
—	—	GET	—	142.250.186.163:443	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg	unknown	—	—	—
—	—	GET	—	142.250.184.228:443	https://www.google.com/async/ddljson?async=ntp:2	unknown	—	—	—
6920	bot2.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=8195	unknown	—	—	whitelisted
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/minhdmkk6/bot1/refs/heads/main/XClient.exe	unknown	executable	75.0 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6328	powershell.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted
3976	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6328	powershell.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6800	powershell.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted

Domain	IP	Reputation
google.com	142.250.186.46	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
github.com	140.82.121.4	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.111.133 185.199.110.133 185.199.109.133	whitelisted
clientservices.googleapis.com	142.250.185.67	whitelisted
accounts.google.com	142.250.102.84	whitelisted
www.google.com	216.58.206.68	whitelisted
ip-api.com	208.95.112.1	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

bypass.bat

BDC77140867FAEA84D1F3DCABBCF25DF

AF63E86BFBE258E9F2289C39589AA3D158CEDB56

621C958504B020D469F2759A6ACD5494552921515FF9B01FC73892FA6488D463

24:ywzR3Ja5TMtWy/gFR35MJ5TkztWkjGbuF6x9VMxCBfpTbRpTbkV:lzRANMtWTRpENkztWkUC6LKCBfpTbRp0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses TASKKILL.EXE to kill security tools

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Uses Task Scheduler to run other applications

Create files in the Startup directory

Changes the autorun value in the registry

XWORM has been detected (SURICATA)

SUSPICIOUS

Starts process via Powershell

Likely accesses (executes) a file from the Public directory

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Process drops python dynamic module

The process drops C-runtime libraries

Application launched itself

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

Loads Python modules

Uses TASKKILL.EXE to kill Browsers

Manipulates environment variables

Checks for external IP

Reads the date of Windows installation

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

Connects to unusual port

Process drops legitimate windows executable

INFO

Disables trace logs

Checks proxy server information

Detects Fody packer (YARA)

Reads the computer name

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Checks operating system version

Reads Environment values

Reads the machine GUID from the registry

Process checks computer location settings

Creates files or folders in the user directory

Script raised an exception (POWERSHELL)

PyInstaller has been detected (YARA)

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules