File name:

nl.exe

Full analysis: https://app.any.run/tasks/cbbb9d74-ffcd-49c7-bbc3-029ce12707ed
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 01, 2024, 15:08:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
pastebin
xworm
amsi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2EAB625E8EDFF71916273EF2C6A08085

SHA1:

C91A0A3077CBE611352A3BF0BAE1FCCB2908F9E7

SHA256:

BA3EB44397F3E31B096B0E5E7273C6439B8E4EC895F898284BFA954FC693E708

SSDEEP:

98304:MAM9omcQGMMGKR0t1W6gB7aeHGVGlhIaYmgJFIImMjJwHeUPLPIdrscS1bf3bf3X:Q8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nl.exe (PID: 2268)
      • client.exe (PID: 4764)

    • Changes the autorun value in the registry

      • client.exe (PID: 4764)

    • Create files in the Startup directory

      • client.exe (PID: 4764)

    • XWORM has been detected (YARA)

      • client.exe (PID: 4764)

    • Connects to the CnC server

      • client.exe (PID: 4764)

  • SUSPICIOUS

    • Reads the BIOS version

      • nl.exe (PID: 2268)

    • Executable content was dropped or overwritten

      • nl.exe (PID: 2268)
      • client.exe (PID: 4764)

    • Reads the date of Windows installation

      • nl.exe (PID: 2268)

    • Reads security settings of Internet Explorer

      • nl.exe (PID: 2268)

    • Uses WMIC.EXE to obtain Windows Installer data

      • injector.exe (PID: 692)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5708)

    • Connects to unusual port

      • client.exe (PID: 4764)

    • Checks for external IP

      • injector.exe (PID: 692)

    • Contacting a server suspected of hosting an CnC

      • client.exe (PID: 4764)

    • Patches Antimalware Scan Interface function (YARA)

      • client.exe (PID: 4764)

  • INFO

    • Reads the computer name

      • nl.exe (PID: 2268)
      • injector.exe (PID: 692)
      • client.exe (PID: 4764)

    • Process checks computer location settings

      • nl.exe (PID: 2268)

    • Create files in a temporary directory

      • nl.exe (PID: 2268)

    • Checks supported languages

      • client.exe (PID: 4764)
      • nl.exe (PID: 2268)
      • injector.exe (PID: 692)

    • Reads the machine GUID from the registry

      • client.exe (PID: 4764)
      • injector.exe (PID: 692)

    • Reads Environment values

      • injector.exe (PID: 692)
      • client.exe (PID: 4764)

    • Disables trace logs

      • injector.exe (PID: 692)
      • client.exe (PID: 4764)

    • Checks proxy server information

      • injector.exe (PID: 692)
      • client.exe (PID: 4764)

    • Reads the software policy settings

      • injector.exe (PID: 692)
      • client.exe (PID: 4764)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5708)

    • Creates files or folders in the user directory

      • client.exe (PID: 4764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4764) client.exe
C2https://pastebin.com/raw/X4Zf0q6k:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
MutexW8laAt9hqK8viUIY
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.2)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 228864
UninitializedDataSize: -
EntryPoint: 0x48b000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start nl.exe #XWORM client.exe injector.exe wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
692"C:\Users\admin\AppData\Local\Temp\injector.exe" C:\Users\admin\AppData\Local\Temp\injector.exe
nl.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Users\admin\AppData\Local\Temp\nl.exe" C:\Users\admin\AppData\Local\Temp\nl.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
4764"C:\Users\admin\AppData\Local\Temp\client.exe" C:\Users\admin\AppData\Local\Temp\client.exe
nl.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(4764) client.exe
C2https://pastebin.com/raw/X4Zf0q6k:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.2
USB drop nameUSB.exe
MutexW8laAt9hqK8viUIY
5708"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exeinjector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
8 834
Read events
8 797
Write events
37
Delete events
0

Modification events

(PID) Process:(2268) nl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2268) nl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2268) nl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2268) nl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(692) injector.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\injector_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
3
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2268nl.exeC:\Users\admin\AppData\Local\Temp\client.exeexecutable
MD5:4C8B3444D260EA3D7737FD95B2CEAA24
SHA256:E0CCE502BBE4105F0634AFA2994B01C8D4816108AD51295B8B4DE6504C576CCB
4764client.exeC:\Users\admin\installer.exeexecutable
MD5:4C8B3444D260EA3D7737FD95B2CEAA24
SHA256:E0CCE502BBE4105F0634AFA2994B01C8D4816108AD51295B8B4DE6504C576CCB
2268nl.exeC:\Users\admin\AppData\Local\Temp\injector.exeexecutable
MD5:C9B347A376039E869C9E23D342104FC3
SHA256:27EA5856CEB25C7BB7C99CF883ECAEE2C7FC7B1E9C595C0E2B18CCEA0DDA1441
4764client.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installer.lnklnk
MD5:81BC826BD823E344B271EC86D004C7F5
SHA256:F4880B0E063A2A64A112B00DF1916F55959745A1E872D3BA4218FA382F3327F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
47
DNS requests
17
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
692
injector.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
2336
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
884
SIHClient.exe
GET
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
2336
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3748
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2336
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2868
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1992
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
692
injector.exe
142.250.186.163:443
gstatic.com
GOOGLE
US
whitelisted
692
injector.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2336
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2336
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4764
client.exe
172.67.19.24:443
pastebin.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
gstatic.com
  • 142.250.186.163
whitelisted
ip-api.com
  • 208.95.112.1
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
pastebin.com
  • 172.67.19.24
  • 104.20.3.235
  • 104.20.4.235
shared
self.events.data.microsoft.com
  • 51.105.71.137
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.16.110.123
  • 2.16.110.171
  • 2.16.110.176
  • 2.16.110.121
  • 2.16.110.195
  • 2.16.110.193
  • 2.16.110.170
whitelisted
r.bing.com
  • 2.16.110.195
  • 2.16.110.171
  • 2.16.110.176
  • 2.16.110.193
  • 2.16.110.121
  • 2.16.110.123
  • 2.16.110.170
whitelisted

Threats

PID
Process
Class
Message
692
injector.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
692
injector.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2168
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2168
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2 ETPRO signatures available at the full report
Process
Message
nl.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nl.exe