File name:

786KZ_XClient.exe

Full analysis: https://app.any.run/tasks/38e68251-bc48-4ae2-803a-366080397240
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Analysis date: December 14, 2024, 01:48:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

4083A7B0BB99C3C0901E6B2D3B8ECB57

SHA1:

E75228A3AB05884F5E4F4F3A1C84C97948ED639B

SHA256:

A3F6C40692C41525D6D958DF42C8C3CDC40D85ADF30BE50117C570DE46125897

SSDEEP:

1536:D1E+9+p1ZCiHsLkbUtdkUeXjHPTfkOKAb:D14X8kbUtd7YPIOKe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • XWORM has been detected (YARA)

      • 786KZ_XClient.exe (PID: 420)
    • XWORM has been detected (SURICATA)

      • 786KZ_XClient.exe (PID: 420)
  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2192)
    • Connects to unusual port

      • 786KZ_XClient.exe (PID: 420)
    • Contacting a server suspected of hosting an CnC

      • 786KZ_XClient.exe (PID: 420)
  • INFO

    • Reads the computer name

      • 786KZ_XClient.exe (PID: 420)
    • Checks supported languages

      • 786KZ_XClient.exe (PID: 420)
    • Reads the machine GUID from the registry

      • 786KZ_XClient.exe (PID: 420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
OriginalFileName: XClient.exe
LegalCopyright:
InternalName: XClient.exe
FileVersion: 1.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xe72e
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 51200
LinkerVersion: 11
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:14 01:30:28+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM 786kz_xclient.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\Users\admin\Desktop\786KZ_XClient.exe" C:\Users\admin\Desktop\786KZ_XClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\786kz_xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 991
Read events
1 991
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
42
DNS requests
8
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4536
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4536
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4536
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4536
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.145
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
Rythen123-64818.portmap.host
  • 193.161.193.99
malicious
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info