File name:

ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077

Full analysis: https://app.any.run/tasks/9d08fba9-3451-4123-bbb9-ba099dfd6f1c
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 09, 2024, 15:12:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
pastebin
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

67769F9120A30209FB33D79221B22DCB

SHA1:

F87DD99033B516B085A5DD8F3DFE811CB41AA352

SHA256:

AB08B93499AD773005F979D0424B17C9789B3485F2129FC6648FA45E2B86A077

SSDEEP:

768:jGPb1onH4nwI5PdiVNE2mFEPa9BbuAR6ROmh6zbNZ:+JibEzFd9xuAR6ROmY7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • XWORM has been detected (YARA)

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • XWORM has been detected (SURICATA)

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Connects to the CnC server

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Executable content was dropped or overwritten

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Reads the date of Windows installation

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • The process executes via Task Scheduler

      • rundll64.exe (PID: 3812)
      • rundll64.exe (PID: 5496)
      • rundll64.exe (PID: 3876)

    • Connects to unusual port

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Contacting a server suspected of hosting an CnC

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

  • INFO

    • Checks supported languages

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)
      • rundll64.exe (PID: 3812)
      • rundll64.exe (PID: 5496)

    • Disables trace logs

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Checks proxy server information

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Reads the machine GUID from the registry

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)
      • rundll64.exe (PID: 3876)
      • rundll64.exe (PID: 5496)
      • rundll64.exe (PID: 3812)

    • Reads the computer name

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)
      • rundll64.exe (PID: 5496)

    • Reads Environment values

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Creates files in the program directory

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • The process uses the downloaded file

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)

    • Process checks computer location settings

      • ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe (PID: 3576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
C2https://pastebin.com/raw/EiiXCJbn:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeJuxtrum
USB drop nameUSB.exe
Mutexb6t9OniE5mSiJwn3
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:13 10:49:14+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 43520
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xc85e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Juxtrum.exe
LegalCopyright:
OriginalFileName: Juxtrum.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe svchost.exe schtasks.exe no specs conhost.exe no specs rundll64.exe no specs rundll64.exe no specs rundll64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3576"C:\Users\admin\Desktop\ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe" C:\Users\admin\Desktop\ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
C2https://pastebin.com/raw/EiiXCJbn:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeJuxtrum
USB drop nameUSB.exe
Mutexb6t9OniE5mSiJwn3
3812"C:\ProgramData\rundll64.exe"C:\ProgramData\rundll64.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\rundll64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3876"C:\ProgramData\rundll64.exe"C:\ProgramData\rundll64.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\rundll64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5496"C:\ProgramData\rundll64.exe"C:\ProgramData\rundll64.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\rundll64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5964"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "rundll64" /tr "C:\ProgramData\rundll64.exe"C:\Windows\System32\schtasks.exeab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
4 797
Read events
4 783
Write events
14
Delete events
0

Modification events

(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3576) ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3576ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exeC:\ProgramData\rundll64.exeexecutable
MD5:67769F9120A30209FB33D79221B22DCB
SHA256:AB08B93499AD773005F979D0424B17C9789B3485F2129FC6648FA45E2B86A077
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
9
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
524
svchost.exe
GET
200
2.16.164.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
524
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
GET
200
104.20.3.235:443
https://pastebin.com/raw/EiiXCJbn
unknown
text
18 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
524
svchost.exe
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
4712
MoUsoCoreWorker.exe
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
2.23.209.156:443
Akamai International B.V.
GB
unknown
4712
MoUsoCoreWorker.exe
2.16.164.122:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
524
svchost.exe
2.16.164.122:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
524
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.122
  • 2.16.164.24
  • 2.16.164.82
  • 2.16.164.106
  • 2.16.164.107
  • 2.16.164.43
  • 2.16.164.40
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
ip-api.com
  • 208.95.112.1
shared
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
pastebin.com
  • 104.20.4.235
  • 104.20.3.235
  • 172.67.19.24
shared
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
3576
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ab08b93499ad773005f979d0424b17c9789b3485f2129fc6648fa45e2b86a077