File name:

Start FL.exe

Full analysis: https://app.any.run/tasks/35873dc6-a31b-4bb0-9623-f6f850f941c0
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: January 08, 2024, 10:24:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
xworm
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

00305C373E1459A1791F8D25D71B7D8D

SHA1:

C9C3C49F9978E7A80120346A870A2C64D1052697

SHA256:

81D25E82CD1F3AAAF1F46128B29C32899FEC873CC93EB35CABC17DB7647372F2

SSDEEP:

6144:x6JfpgbJNcFXI+FCrsQb3P4Rzh6JPlmKqhz:kuNcFXI+FC4uGemNhz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Start FL.exe (PID: 116)

    • Uses Task Scheduler to run other applications

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • XWORM has been detected (YARA)

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Changes the autorun value in the registry

      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Reads settings of System Certificates

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)

  • INFO

    • Drops the executable file immediately after the start

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Checks supported languages

      • Start FL.exe (PID: 116)
      • XClient.exe (PID: 1584)
      • XClient.exe (PID: 1784)
      • Start FL.exe (PID: 2640)
      • XClient.exe (PID: 1388)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)
      • XClient.exe (PID: 2528)
      • XClient.exe (PID: 3128)

    • Reads Environment values

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Reads the computer name

      • Start FL.exe (PID: 116)
      • XClient.exe (PID: 1584)
      • Start FL.exe (PID: 2640)
      • XClient.exe (PID: 1388)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)
      • XClient.exe (PID: 2528)
      • XClient.exe (PID: 3128)
      • XClient.exe (PID: 1784)

    • Reads the machine GUID from the registry

      • Start FL.exe (PID: 116)
      • XClient.exe (PID: 1388)
      • XClient.exe (PID: 1784)
      • Start FL.exe (PID: 2640)
      • Start FL.exe (PID: 1268)
      • XClient.exe (PID: 2528)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)
      • XClient.exe (PID: 3128)
      • XClient.exe (PID: 1584)

    • Checks for external IP

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Creates files or folders in the user directory

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • Connects to unusual port

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 1584)
      • XClient.exe (PID: 1388)
      • XClient.exe (PID: 2528)
      • XClient.exe (PID: 3128)
      • XClient.exe (PID: 1784)

    • XWORM has been detected (SURICATA)

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)

    • Connects to the CnC server

      • Start FL.exe (PID: 116)
      • Start FL.exe (PID: 1268)

    • Manual execution by a user

      • Start FL.exe (PID: 2640)
      • taskmgr.exe (PID: 2588)
      • Start FL.exe (PID: 1268)
      • Patch by N0lik FL Studio 21.2.2.3914.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(116) Start FL.exe
C2https://pastebin.com/raw/yEFBrPn5:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
Mutexv52xl5ZqMWVDugQX
(PID) Process(1268) Start FL.exe
C2https://pastebin.com/raw/yEFBrPn5:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
Mutexv52xl5ZqMWVDugQX
(PID) Process(2824) Patch by N0lik FL Studio 21.2.2.3914.exe
C2127.0.0.1,5.tcp.eu.ngrok.io,0.tcp.eu.ngrok.io,7.tcp.eu.ngrok.io:14762
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop namegroup
MutexR0cBWWO54AG2skxr
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:07 15:46:41+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 75264
InitializedDataSize: 102912
UninitializedDataSize: -
EntryPoint: 0x144fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: XClient.exe
LegalCopyright:
OriginalFileName: XClient.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM start fl.exe schtasks.exe no specs xclient.exe no specs xclient.exe no specs start fl.exe no specs xclient.exe no specs taskmgr.exe no specs #XWORM start fl.exe schtasks.exe no specs xclient.exe no specs #XWORM patch by n0lik fl studio 21.2.2.3914.exe schtasks.exe no specs xclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\Start FL.exe" C:\Users\admin\AppData\Local\Temp\Start FL.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
1
Version:
1.0.0.0
XWorm
(PID) Process(116) Start FL.exe
C2https://pastebin.com/raw/yEFBrPn5:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
Mutexv52xl5ZqMWVDugQX
1268"C:\Users\admin\Desktop\Start FL.exe" C:\Users\admin\Desktop\Start FL.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
XWorm
(PID) Process(1268) Start FL.exe
C2https://pastebin.com/raw/yEFBrPn5:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
Mutexv52xl5ZqMWVDugQX
1388C:\Users\admin\AppData\Roaming\XClient.exe C:\Users\admin\AppData\Roaming\XClient.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
1584C:\Users\admin\AppData\Roaming\XClient.exe C:\Users\admin\AppData\Roaming\XClient.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
1784C:\Users\admin\AppData\Roaming\XClient.exe C:\Users\admin\AppData\Roaming\XClient.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2016"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "XClient" /tr "C:\Users\admin\AppData\Roaming\XClient.exe"C:\Windows\System32\schtasks.exeStart FL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2528C:\Users\admin\AppData\Roaming\XClient.exe C:\Users\admin\AppData\Roaming\XClient.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2588"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640"C:\Users\admin\Desktop\Start FL.exe" C:\Users\admin\Desktop\Start FL.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2824"C:\Users\admin\Desktop\Patch by N0lik FL Studio 21.2.2.3914.exe" C:\Users\admin\Desktop\Patch by N0lik FL Studio 21.2.2.3914.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
XWorm
(PID) Process(2824) Patch by N0lik FL Studio 21.2.2.3914.exe
C2127.0.0.1,5.tcp.eu.ngrok.io,0.tcp.eu.ngrok.io,7.tcp.eu.ngrok.io:14762
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop namegroup
MutexR0cBWWO54AG2skxr
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
116Start FL.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:00305C373E1459A1791F8D25D71B7D8D
SHA256:81D25E82CD1F3AAAF1F46128B29C32899FEC873CC93EB35CABC17DB7647372F2
116Start FL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkbinary
MD5:FAFA50CCD3CCE37183D83B734B1AAE78
SHA256:CDBEF4EBE97FCAA0CF387C7934F5609682FD8D0A0ED8DE4E687159428A0B5CA8
2824Patch by N0lik FL Studio 21.2.2.3914.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:3AE6DF39DA5EAA0D470350566B9B5C69
SHA256:906593945CEAAECE7DF24C710A03364A48E8B817C2BE480EFCD4A5B7BD65A7BC
1268Start FL.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:00305C373E1459A1791F8D25D71B7D8D
SHA256:81D25E82CD1F3AAAF1F46128B29C32899FEC873CC93EB35CABC17DB7647372F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
14
DNS requests
8
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2824
Patch by N0lik FL Studio 21.2.2.3914.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
116
Start FL.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
1268
Start FL.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
116
Start FL.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
116
Start FL.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown
116
Start FL.exe
18.192.31.165:19396
0.tcp.eu.ngrok.io
AMAZON-02
DE
malicious
1268
Start FL.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
1268
Start FL.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown
1268
Start FL.exe
18.192.31.165:19396
0.tcp.eu.ngrok.io
AMAZON-02
DE
malicious
2824
Patch by N0lik FL Studio 21.2.2.3914.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
0.tcp.eu.ngrok.io
  • 18.192.31.165
malicious
5.tcp.eu.ngrok.io
  • 3.67.62.142
malicious

Threats

PID
Process
Class
Message
116
Start FL.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
116
Start FL.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
116
Start FL.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1080
svchost.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
116
Start FL.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1268
Start FL.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
1268
Start FL.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1080
svchost.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
1268
Start FL.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Start FL.exe