| File name: | XWorm V5.2.zip |
| Full analysis: | https://app.any.run/tasks/9b4b966e-f49e-41ff-8b33-1c7515d203f9 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | December 27, 2023, 13:51:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | CF5CDCFBFC10272C3DE836925B71D332 |
| SHA1: | CED8D1E851764A9241E1CDB8ADEF02128DF11E4F |
| SHA256: | 8613E5155EBCADABC00E16F23E94A5DFC522911CF15586F5DE7D041EAAE2DD3A |
| SSDEEP: | 98304:pqpLD/airmULKBiZYielMuHrhL0MOdxzc8TYpQsi5/cDSjj1N5CXKEaDZbfp0tvm:p5spg1r7pCXLJeUYVzxGrfyIenw |
MALICIOUS
XWORM has been detected (YARA)
- XWorm V5.2.exe (PID: 764)
SUSPICIOUS
Reads the Internet Settings
- XWorm V5.2.exe (PID: 764)
INFO
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2040)
- XWorm V5.2.exe (PID: 764)
Manual execution by a user
- rundll32.exe (PID: 1864)
- XWorm V5.2.exe (PID: 764)
Checks supported languages
- XWorm V5.2.exe (PID: 764)
Reads the computer name
- XWorm V5.2.exe (PID: 764)
Create files in a temporary directory
- XWorm V5.2.exe (PID: 764)
Reads the machine GUID from the registry
- XWorm V5.2.exe (PID: 764)
Application launched itself
- msedge.exe (PID: 1536)
- msedge.exe (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:11:05 21:09:24 |
| ZipCRC: | 0x70417008 |
| ZipCompressedSize: | 9346844 |
| ZipUncompressedSize: | 12782080 |
| ZipFileName: | XWorm V5.2.exe |
Total processes
59
Monitored processes
22
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 764 | "C:\Users\admin\Desktop\New folder\XWorm V5.2.exe" | C:\Users\admin\Desktop\New folder\XWorm V5.2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: XWorm Exit code: 0 Version: 5.2.0.0 Modules
| |||||||||||||||
| 1124 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x66a4f598,0x66a4f5a8,0x66a4f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1192 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1000 --field-trial-handle=1368,i,17878852237590404596,17261797943824622016,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1424 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1368,i,17878852237590404596,17261797943824622016,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1536 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools | C:\Program Files\Microsoft\Edge\Application\msedge.exe | XWorm V5.2.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1864 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\New folder\SimpleObfuscator.dll | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1904 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1368,i,17878852237590404596,17261797943824622016,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2040 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XWorm V5.2.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2364 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3776 --field-trial-handle=1368,i,17878852237590404596,17261797943824622016,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2368 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1516 --field-trial-handle=1368,i,17878852237590404596,17261797943824622016,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
3 007
Read events
2 967
Write events
39
Delete events
1
Modification events
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1536) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
Executable files
23
Suspicious files
77
Text files
51
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\Mono.Cecil.dll | executable | |
MD5:DE69BB29D6A9DFB615A90DF3580D63B1 | SHA256:F66F97866433E688ACC3E4CD1E6EF14505F81DF6B26DD6215E376767F6F954BC | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\XWorm V5.2.exe.config | xml | |
MD5:66F09A3993DCAE94ACFE39D45B553F58 | SHA256:7EA08548C23BD7FD7C75CA720AC5A0E8CA94CB51D06CD45EBF5F412E4BBDD7D7 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\XWormLoader 5.2 x64.exe.config | xml | |
MD5:15C8C4BA1AA574C0C00FD45BB9CCE1AB | SHA256:F82338E8E9C746B5D95CD2CCC7BF94DD5DE2B9B8982FFFDDF2118E475DE50E15 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\XWormLoader 5.2 x32.exe | executable | |
MD5:F3B2EC58B71BA6793ADCC2729E2140B1 | SHA256:2D74EB709AEA89A181CF8DFCC7E551978889F0D875401A2F1140487407BF18AE | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\XWormLoader 5.2 x32.exe.config | xml | |
MD5:15C8C4BA1AA574C0C00FD45BB9CCE1AB | SHA256:F82338E8E9C746B5D95CD2CCC7BF94DD5DE2B9B8982FFFDDF2118E475DE50E15 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\Background.png | image | |
MD5:C93EE3ABEFF4AC24936471F80B36EC7A | SHA256:2F691CAFF7E1980CFB069D2608B6470B3A06CDB90467CE47820E8602115A0C5B | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\Fixer.bat | text | |
MD5:2DABC46CE85AAFF29F22CD74EC074F86 | SHA256:A11703FD47D16020FA099A95BB4E46247D32CF8821DC1826E77A971CDD3C4C55 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\Mono.Cecil.Pdb.dll | executable | |
MD5:6D5EB860C2BE5DBEB470E7D3F3E7DDA4 | SHA256:447EDE1984BB4ACD73BD97C0EC57A11C079CEE8301C91FB199CA98C1906D3CC4 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\FastColoredTextBox.dll | executable | |
MD5:B746707265772B362C0BA18D8D630061 | SHA256:3701B19CCDAC79B880B197756A972027E2AC609EBED36753BD989367EA4EF519 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.7739\GMap.NET.WindowsForms.dll | executable | |
MD5:32A8742009FFDFD68B46FE8FD4794386 | SHA256:741E1A8F05863856A25D101BD35BF97CBA0B637F0C04ECB432C1D85A78EF1365 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
23
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1536 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2740 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2740 | msedge.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | unknown |
2740 | msedge.exe | 204.79.197.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2740 | msedge.exe | 20.105.95.163:443 | nav-edge.smartscreen.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2740 | msedge.exe | 51.104.176.40:443 | data-edge.smartscreen.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2740 | msedge.exe | 34.111.35.152:443 | cdn4.cdn-telegram.org | GOOGLE | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
t.me |
| whitelisted |
nav-edge.smartscreen.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
data-edge.smartscreen.microsoft.com |
| whitelisted |
telegram.org |
| whitelisted |
cdn4.cdn-telegram.org |
| unknown |
www.bing.com |
| whitelisted |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2740 | msedge.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
Process | Message |
|---|---|
msedge.exe | [1227/135203.492:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|