File name:	1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded
Full analysis:	https://app.any.run/tasks/973ad982-8f44-4145-b56a-ef4d7f8bc58f
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	April 28, 2025, 10:36:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg auto-startup xworm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	12A8E44BD59FF864BE966D75E295E669
SHA1:	D723436089025700F371BA8D95BCF25A986584A0
SHA256:	9938E2428E2E91B1AE3473CB801CB5954D147505B8B53A7B0DD63ECE289B0E13
SSDEEP:	768:rKdcA6ByQFUGCJ6DgoXv4VFq9JPO7hPRaq:rkcA6kQqQJXvgFq9JPO7Z9

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:28 05:43:15+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	33792
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xa28e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	XClient.exe
LegalCopyright:
OriginalFileName:	XClient.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6872) 1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded
Value: C:\Users\admin\AppData\Roaming\1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.exe

PID	Process	Filename		Type
6872	1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.exe	C:\Users\admin\AppData\Roaming\1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.exe		executable
		MD5:12A8E44BD59FF864BE966D75E295E669	SHA256:9938E2428E2E91B1AE3473CB801CB5954D147505B8B53A7B0DD63ECE289B0E13
6872	1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded.lnk		binary
		MD5:0AEF5EFFEB648362FAFDAF080E53A5C8	SHA256:406AD7274BD6FBBBFCDB7F676338FF751230F43C3125AE4E426518B9779378E9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
4268	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4268	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
4268	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4268	SIHClient.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
4268	SIHClient.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.186.46	whitelisted
crl.microsoft.com	23.32.238.112 23.32.238.107	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
login.live.com	40.126.32.136 20.190.160.5 20.190.160.67 20.190.160.64 40.126.32.140 20.190.160.131 20.190.160.20 20.190.160.22	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted

General Info

1745836265da719325ab687b21e75012c706efe8b9a5e14e5394650431659942a908a1f8b6744.dat-decoded

12A8E44BD59FF864BE966D75E295E669

D723436089025700F371BA8D95BCF25A986584A0

9938E2428E2E91B1AE3473CB801CB5954D147505B8B53A7B0DD63ECE289B0E13

768:rKdcA6ByQFUGCJ6DgoXv4VFq9JPO7hPRaq:rkcA6kQqQJXvgFq9JPO7Z9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Create files in the Startup directory

XWORM has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Auto-launch of the file from Registry key

Auto-launch of the file from Startup directory

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings