File name:	Discord.exe
Full analysis:	https://app.any.run/tasks/4250ccbd-4919-4682-9aa1-58ac863ee7cc
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	January 02, 2025, 10:14:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github loader evasion remote xworm reflection crypto-regex
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:	C98883CCAF09EC8918C0A649BFE602F3
SHA1:	D9C56C1E8E0F7ECE157F48ABE4CC9658D55C3D3A
SHA256:	B391E1E8BFC3434CCB8ADEC497EEC855BC4C14F0FC01A985E3549F59FDE8AA71
SSDEEP:	1536:7CYa+ihNuNMv2blAyHQ5MaAt7JmyxCV7tBKhilgVcRdMjjMOw:7CYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMj0

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:07:30 08:52:45+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	70656
InitializedDataSize:	19968
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line


(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3612) Runtime Broker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Runtime Broker_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
4716	powershell.exe	C:\Users\admin\AppData\Local\Temp\Discord.exe		—
		MD5:—	SHA256:—
5732	Discord.exe	C:\Users\admin\AppData\Roaming\Runtime Broker.exe		executable
		MD5:9492B52955D1C44B0A7846A6AD9B11EC	SHA256:2471322E0A10A9DD45F455ABEA0EDF95C13120B8D254DA755D81A1AAC023B2BA
4144	Discord.exe	C:\Users\admin\AppData\Local\Temp\639F.tmp\63A0.tmp\63A1.bat		text
		MD5:7CAC02DAC5B233B8A5CC3D3468CDE5BC	SHA256:16CB39AD8262A76C3D5C9A183FE298F955620C052A6C9D385659CD842F9FFE9E
3612	Runtime Broker.exe	C:\Users\admin\AppData\Roaming\Update.exe		executable
		MD5:9492B52955D1C44B0A7846A6AD9B11EC	SHA256:2471322E0A10A9DD45F455ABEA0EDF95C13120B8D254DA755D81A1AAC023B2BA
5732	Discord.exe	C:\Users\admin\AppData\Roaming\Fortnite.exe		executable
		MD5:B2366CDF646D8D950B487DC896AF27B2	SHA256:E025A711DF64C888E0A3CCE755EE75DE336046768B147BC43EA34B2B835C591C
4716	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:FBDD74808D07A8DFF2FA806191939851	SHA256:75AF58708F169F24EABF2E17D44F763596B298BCD7CC209AFDA29B8BD24AFA0E
3612	Runtime Broker.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk		lnk
		MD5:A66B646FB292ED8023987CE1E9CAA169	SHA256:DBC90B1F4C7D03A5BB5E2302BD62D1CCA9106BC2B5D665A038EF4FAB9BA77A63
4716	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2uvqdgwn.nr4.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4716	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5ehtxm3e.hxe.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6060	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6060	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.3:443	https://github.com/ind1337xhtml/-wcx/raw/refs/heads/main/Discord.exe	unknown	—	—	unknown
3612	Runtime Broker.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/ind1337xhtml/-wcx/refs/heads/main/Discord.exe	unknown	executable	2.06 Mb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
6060	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6060	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6060	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
www.bing.com	2.23.209.149 2.23.209.179 2.23.209.158 2.23.209.185 2.23.209.182 2.23.209.177 2.23.209.140 2.23.209.176 2.23.209.150	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
github.com	140.82.121.3	shared
raw.githubusercontent.com	185.199.109.133 185.199.108.133 185.199.110.133 185.199.111.133	shared
ip-api.com	208.95.112.1	shared
associated-mercedes.gl.at.ply.gg	147.185.221.24	unknown
self.events.data.microsoft.com	52.182.141.63	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3612	Runtime Broker.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
3612	Runtime Broker.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2192	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
3612	Runtime Broker.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
2192	svchost.exe	Misc activity	ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3612	Runtime Broker.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

Discord.exe

C98883CCAF09EC8918C0A649BFE602F3

D9C56C1E8E0F7ECE157F48ABE4CC9658D55C3D3A

B391E1E8BFC3434CCB8ADEC497EEC855BC4C14F0FC01A985E3549F59FDE8AA71

1536:7CYa+ihNuNMv2blAyHQ5MaAt7JmyxCV7tBKhilgVcRdMjjMOw:7CYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMj0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

XWORM has been detected (YARA)

Create files in the Startup directory

XWORM has been detected (SURICATA)

SUSPICIOUS

Executing commands from a ".bat" file

Executable content was dropped or overwritten

Downloads file from URI via Powershell

Reads the date of Windows installation

Reads security settings of Internet Explorer

Checks for external IP

Starts POWERSHELL.EXE for commands execution

Connects to unusual port

Found regular expressions for crypto-addresses (YARA)

Starts CMD.EXE for commands execution

Detects reflection assembly loader (YARA)

Contacting a server suspected of hosting an CnC

INFO

Checks proxy server information

Checks supported languages

The process uses the downloaded file

Reads the computer name

Reads the machine GUID from the registry

Disables trace logs

Creates files or folders in the user directory

Process checks computer location settings

Create files in a temporary directory

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests