File name:

.exe

Full analysis: https://app.any.run/tasks/6ea990bd-1d83-4914-8569-46a97684c784
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 14, 2025, 19:10:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-reg
autorun-startup
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D8775E527345425FCD5BA97920DD23F2

SHA1:

B266D4014040C284072A8EA39102B599CB0AB1E3

SHA256:

B431176118165E4EB0E091633B9E45D835F39F02335DECDE364E8CE5144DB56D

SSDEEP:

1536:vBxLCwXmvksDogPfR5M+iHkbGi+K2R7I0zyw6uiqTOPi63Lh:D+lfR/iHkbGiU80OMiQOqu9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Create files in the Startup directory

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • XWORM has been detected (YARA)

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • XWORM has been detected (SURICATA)

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Connects to unusual port

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Contacting a server suspected of hosting an CnC

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

  • INFO

    • Checks supported languages

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)
      • schvost.exe (PID: 7420)

    • Reads the computer name

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)
      • schvost.exe (PID: 7420)

    • Reads the machine GUID from the registry

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)
      • schvost.exe (PID: 7420)

    • Creates files or folders in the user directory

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Autorun file from Registry key

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Manual execution by a user

      • schvost.exe (PID: 7420)

    • Autorun file from Startup directory

      • 6ea990bd-1d83-4914-8569-46a97684c784.exe (PID: 7340)

    • Checks proxy server information

      • slui.exe (PID: 7836)

    • Reads the software policy settings

      • slui.exe (PID: 7836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(7340) 6ea990bd-1d83-4914-8569-46a97684c784.exe
C2127.0.0.1,25.ip.gl.ply.gg:60031
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexAkpiG6kCo0grLho8
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:05 16:49:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 67072
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x1248e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: ььььь.exe
LegalCopyright:
OriginalFileName: ььььь.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM 6ea990bd-1d83-4914-8569-46a97684c784.exe schvost.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7340"C:\Users\admin\Desktop\6ea990bd-1d83-4914-8569-46a97684c784.exe" C:\Users\admin\Desktop\6ea990bd-1d83-4914-8569-46a97684c784.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\6ea990bd-1d83-4914-8569-46a97684c784.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(7340) 6ea990bd-1d83-4914-8569-46a97684c784.exe
C2127.0.0.1,25.ip.gl.ply.gg:60031
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexAkpiG6kCo0grLho8
7420"C:\Users\admin\AppData\Roaming\schvost.exe" C:\Users\admin\AppData\Roaming\schvost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\schvost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7836C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 239
Read events
4 238
Write events
1
Delete events
0

Modification events

(PID) Process:(7340) 6ea990bd-1d83-4914-8569-46a97684c784.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:schvost
Value:
C:\Users\admin\AppData\Roaming\schvost.exe
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
73406ea990bd-1d83-4914-8569-46a97684c784.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schvost.lnkbinary
MD5:75B1400C3300A882893073DA000AD3A9
SHA256:272EFF6828ABC1E5EA552C41C0BBDB6A00266C59115C6577FAE4F5884FFB0276
73406ea990bd-1d83-4914-8569-46a97684c784.exeC:\Users\admin\AppData\Roaming\schvost.exeexecutable
MD5:D8775E527345425FCD5BA97920DD23F2
SHA256:B431176118165E4EB0E091633B9E45D835F39F02335DECDE364E8CE5144DB56D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
4
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7340
6ea990bd-1d83-4914-8569-46a97684c784.exe
147.185.221.25:60031
25.ip.gl.ply.gg
PLAYIT-GG
US
malicious
6516
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7836
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
25.ip.gl.ply.gg
  • 147.185.221.25
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
7340
6ea990bd-1d83-4914-8569-46a97684c784.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
7340
6ea990bd-1d83-4914-8569-46a97684c784.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info