| File name: | XWorm V5.4.zip |
| Full analysis: | https://app.any.run/tasks/8c34db59-7d82-4bd5-996d-638895c3a0d0 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | March 16, 2024, 17:58:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=AES Encrypted |
| MD5: | FD0247C77E5CC9465E51609481DBC230 |
| SHA1: | 17E8B30F785AA22B87F505AB8A56EE8D8E28131B |
| SHA256: | 866415E1C6AA509660AD526F107B45425FCC2313777C0BC428DDF0839B7C0944 |
| SSDEEP: | 98304:RnvgE2zVETvkPU8Fh21KSjj3lHicz+aHgUhyCpxeMZCfaiEeQ2C5adtuy9xNQO3k:usSrrA//UfRQY1tTbF8 |
MALICIOUS
Drops the executable file immediately after the start
- XWorm V5.4.exe (PID: 4044)
XWORM has been detected (YARA)
- XWorm V5.4.exe (PID: 4044)
SUSPICIOUS
Executable content was dropped or overwritten
- XWorm V5.4.exe (PID: 4044)
INFO
Manual execution by a user
- XWorm V5.4.exe (PID: 4044)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 4008)
Checks supported languages
- XWorm V5.4.exe (PID: 4044)
Reads the computer name
- XWorm V5.4.exe (PID: 4044)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4008)
Create files in a temporary directory
- XWorm V5.4.exe (PID: 4044)
Reads the machine GUID from the registry
- XWorm V5.4.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2024:02:14 16:48:30 |
| ZipCRC: | 0xbb105171 |
| ZipCompressedSize: | 10186156 |
| ZipUncompressedSize: | 14521856 |
| ZipFileName: | XWorm V5.4.exe |
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4008 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XWorm V5.4.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 4044 | "C:\Users\admin\Desktop\XWorm V5.4.exe" | C:\Users\admin\Desktop\XWorm V5.4.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: XWorm Exit code: 3762504530 Version: 5.4.0.0 Modules
| |||||||||||||||
Total events
3 522
Read events
3 510
Write events
12
Delete events
0
Modification events
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\XWorm V5.4.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb4008.43178\XWorm V5.4.exe | executable | |
MD5:065A8D7FAD2AD13B9F04DE982294EB21 | SHA256:3B2F28E621AF3EA54ABF28071E2F36143A30AA87A091F0EE3764C15B2DEA4303 | |||
| 4044 | XWorm V5.4.exe | C:\Users\admin\AppData\Local\Temp\QrqYP\QrqYP.dll | executable | |
MD5:0B0E63957367E620B8697C5341AF35B9 | SHA256:BD9CDCFAA0EDECDB89A204965D20F4A896C6650D4840E28736D9BD832390E1C5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |