File name:

Xworm V5.6.exe

Full analysis: https://app.any.run/tasks/bb3443c8-76f1-41c8-b810-1091ac8d7d7f
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 30, 2024, 17:29:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xworm
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

56CCB739926A725E78A7ACF9AF52C4BB

SHA1:

5B01B90137871C3C8F0D04F510C4D56B23932CBC

SHA256:

90F58865F265722AB007ABB25074B3FC4916E927402552C6BE17EF9AFAC96405

SSDEEP:

98304:YZTc5mejU/jUsP4dppEPRe88fjwlulzeDKS491gWdBwE65VRPTv0GKVWuqsdhXib:YeV9gJ0FPeoiwIH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Xworm V5.6.exe (PID: 3344)

    • XWORM has been detected (YARA)

      • Xworm V5.6.exe (PID: 900)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3408)

  • INFO

    • Reads the computer name

      • Xworm V5.6.exe (PID: 3344)
      • Xworm V5.6.exe (PID: 900)

    • Reads the machine GUID from the registry

      • Xworm V5.6.exe (PID: 3344)
      • Xworm V5.6.exe (PID: 900)

    • Checks supported languages

      • Xworm V5.6.exe (PID: 3344)
      • Xworm V5.6.exe (PID: 900)

    • Manual execution by a user

      • WinRAR.exe (PID: 3408)
      • explorer.exe (PID: 2760)
      • Xworm V5.6.exe (PID: 900)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3408)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3408)

    • Reads Environment values

      • Xworm V5.6.exe (PID: 900)

    • Reads Microsoft Office registry keys

      • Xworm V5.6.exe (PID: 900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:08 21:58:05+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 15461376
InitializedDataSize: 140800
UninitializedDataSize: -
EntryPoint: 0xec0b9e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.6.0.0
ProductVersionNumber: 5.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: XCoder
CompanyName: -
FileDescription: XWorm
FileVersion: 5.6.0.0
InternalName: XWorm.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: XWorm.exe
ProductName: XWorm
ProductVersion: 5.6.0.0
AssemblyVersion: 5.6.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xworm v5.6.exe PhotoViewer.dll no specs explorer.exe no specs winrar.exe #XWORM xworm v5.6.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Users\admin\Desktop\Xworm-V5.6\Xworm V5.6.exe" C:\Users\admin\Desktop\Xworm-V5.6\Xworm V5.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XWorm
Version:
5.6.0.0
Modules
Images
c:\users\admin\desktop\xworm-v5.6\xworm v5.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2348C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2760"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3344"C:\Users\admin\AppData\Local\Temp\Xworm V5.6.exe" C:\Users\admin\AppData\Local\Temp\Xworm V5.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XWorm
Exit code:
3762504530
Version:
5.6.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xworm v5.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3408"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Xworm-V5.6.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 093
Read events
7 064
Write events
29
Delete events
0

Modification events

(PID) Process:(2348) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
DllHost.exe
(PID) Process:(2348) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
A8FEFFFF54000000E8020000A002000000000000
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3408) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3408) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Xworm-V5.6.rar
Executable files
48
Suspicious files
51
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\GMap.NET.WindowsForms.dllexecutable
MD5:32A8742009FFDFD68B46FE8FD4794386
SHA256:741E1A8F05863856A25D101BD35BF97CBA0B637F0C04ECB432C1D85A78EF1365
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\FastColoredTextBox.dllexecutable
MD5:B746707265772B362C0BA18D8D630061
SHA256:3701B19CCDAC79B880B197756A972027E2AC609EBED36753BD989367EA4EF519
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\GMap.NET.Core.dllexecutable
MD5:819352EA9E832D24FC4CEBB2757A462B
SHA256:58C755FCFC65CDDEA561023D736E8991F0AD69DA5E1378DEA59E98C5DB901B86
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\IconExtractor.dllexecutable
MD5:640D8FFA779C6DD5252A262E440C66C0
SHA256:440912D85D2F98BB4F508AB82847067C18E1E15BE0D8ECDCFF0CC19327527FC2
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (1).icoimage
MD5:4F409511E9F93F175CD18187379E94CB
SHA256:115F0DB669B624D0A7782A7CFAF6E7C17282D88DE3A287855DBD6FE0F8551A8F
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (10).icoimage
MD5:AD1740CB3317527AA1ACAE6E7440311E
SHA256:7A97547954AAAD629B0563CC78BCA75E3339E8408B70DA2ED67FA73B4935D878
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (11).icoimage
MD5:1C2CEA154DEEDC5A39DAEC2F1DADF991
SHA256:3B64B79E4092251EBF090164CD2C4815390F34849BBD76FB51085B6A13301B6D
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (12).icoimage
MD5:4EA9AB789F5AE96766E3F64C8A4E2480
SHA256:84B48CA52DFCD7C74171CF291D2EF1247C3C7591A56B538083834D82857FEE50
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (13).icoimage
MD5:E6FEC4185B607E01A938FA405E0A6C6C
SHA256:2E2F17B7DD15007192E7CBBD0019355F8BE58068DC5042323123724B99AE4B44
3408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3408.11070\Xworm-V5.6\Icons\icon (14).icoimage
MD5:0C24EDEC606ABDA7C6570B7DCF439298
SHA256:8FC693238AFC49A8098DAC1762BFAE891E818BB84749C6EEF5F1B0C6C8FFDDB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
23.50.131.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
23.50.131.208:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
23.50.131.205:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.208
  • 23.50.131.199
  • 23.50.131.196
  • 23.50.131.202
  • 23.50.131.222
  • 23.50.131.216
  • 23.50.131.205
  • 23.50.131.210
  • 23.50.131.213
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xworm V5.6.exe