File name:	TGMacro.v2.91.Portable.rar
Full analysis:	https://app.any.run/tasks/84205ab4-d256-4561-a98c-f28bde160989
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	January 31, 2025, 09:43:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec remote xworm
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	FAF566256BB46C925D61B09C18D6DE40
SHA1:	5CBBE524AC7EB51C237CC3968A1277C276EE2035
SHA256:	C07C640B2808E8E2A8199F67EA78C3F5505FEDD6B03D2EF23262DBED9E068F67
SSDEEP:	24576:5rav5KnZskzp8e8/ysexIcFM8SPlwM0/gWYxur8xBqzIu:5rav5KZskzp8e8ysexIcFBS9wM0/gWYM

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

FileVersion:	RAR v5
CompressedSize:	8334
UncompressedSize:	19968
OperatingSystem:	Win32
ArchivedFileName:	TGMacro.v2.91.Portable/Libs/CSInputs.dll


(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\TGMacro.v2.91.Portable.rar
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5092) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender
(PID) Process:	(5652) CHANCE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Dofus_3.0-x64
Value: C:\Users\admin\AppData\Roaming\Dofus_3.0-x64.exe

PID	Process	Filename		Type
5092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR5092.43225\TGMacro.v2.91.Portable.rar\TGMacro.v2.91.Portable\Libs\CSInputs.dll		executable
		MD5:8BEB7AB2FC0284271E53193CB14F07A8	SHA256:BFB7D28A39E4A401BFD55BB97107A60CF5BBA465B6D6BA28E924F0966703508E
3524	TGMacro.exe	C:\Users\admin\AppData\Local\Temp\TGMacro.exe		executable
		MD5:4FF446B7336D27D25D15AD328821BDAA	SHA256:2BFC555EE6456B53C2DB200833C70C65D892595F5E584A07123D5CE9E43332A9
3524	TGMacro.exe	C:\Users\admin\AppData\Local\Temp\SZA.png‮.exe		executable
		MD5:1D59CB42C557C56FEF71DB49CD88693F	SHA256:A81E8997A757427AD54B5535D9D96AC3EF8B8B26767CFFF492D91A7D6B37072C
3524	TGMacro.exe	C:\Users\admin\AppData\Local\Temp\CSInputs.dll		executable
		MD5:8BEB7AB2FC0284271E53193CB14F07A8	SHA256:BFB7D28A39E4A401BFD55BB97107A60CF5BBA465B6D6BA28E924F0966703508E
5092	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR5092.43225\Rar$Scan8341.bat		text
		MD5:C31E0EF56EFC61317ED712F0515BE207	SHA256:CA8C50A57F55E58BC4FB2646888A303BEC9AEEB1B25B3F1375090331B4B1C9A5
2436	SZA.png‮.exe	C:\Users\admin\AppData\Local\Temp\CHANCE.exe		executable
		MD5:55361EE8A6AE7D88221E9ABE454C4A7B	SHA256:C15CB9153F11756DF0F266E00A6E864B97E6DBF21AC37B77845DE486F91E7EFF
5652	CHANCE.exe	C:\Users\admin\AppData\Roaming\Dofus_3.0-x64.exe		executable
		MD5:43787C6735C1CA7B674D2AE30CF66637	SHA256:82B86BBBC47845F37155B758B0BAC02F91C1804B4C8C3E16E0E7712B6DF1A8BA
3544	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:46A6F48856BD3A0FA4E474393365B080	SHA256:C9A45EC21CC43296515A4ABE024D060DBA8D58529ADBF3A0D914E33C9EF663BC
1144	DZADZ.exe	C:\Users\admin\AppData\Roaming\SubDir.exe		executable
		MD5:65C0453D5C2DC8A8187525135B5F50A5	SHA256:03892A9D8CBD339B10024C9164F35EBD6D64BC6A92CE472E416560CD2F4F70F3
1144	DZADZ.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SubDir.lnk		binary
		MD5:B82C7D777E48780EBCC9C84BFC430B66	SHA256:9641A68C1854B33F68E683B6C14F2425A3291247F65C8826A740E8B657B0ABF0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.43:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	2.16.164.43:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	104.126.37.131:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3220	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4712	MoUsoCoreWorker.exe	2.16.164.43:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3220	svchost.exe	2.16.164.43:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
3220	svchost.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
crl.microsoft.com	2.16.164.43 2.16.164.66 2.16.164.9 2.16.164.10 2.16.164.24 2.16.164.42 2.16.164.33 2.16.164.131 2.16.164.17	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.bing.com	2.21.65.157 2.21.65.132 2.21.65.154 2.21.65.153	whitelisted
mean-signal.gl.at.ply.gg	147.185.221.24	unknown
self.events.data.microsoft.com	40.79.197.35	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
2192	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
1144	DZADZ.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

TGMacro.v2.91.Portable.rar

FAF566256BB46C925D61B09C18D6DE40

5CBBE524AC7EB51C237CC3968A1277C276EE2035

C07C640B2808E8E2A8199F67EA78C3F5505FEDD6B03D2EF23262DBED9E068F67

24576:5rav5KnZskzp8e8/ysexIcFM8SPlwM0/gWYxur8xBqzIu:5rav5KZskzp8e8ysexIcFBS9wM0/gWYM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Bypass execution policy to execute commands

Adds path to the Windows Defender exclusion list

Changes powershell execution policy (Bypass)

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

XWORM has been detected (SURICATA)

XWORM has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

There is functionality for taking screenshot (YARA)

The process executes via Task Scheduler

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Manual execution by a user

Reads the machine GUID from the registry

Process checks computer location settings

Reads the computer name

Checks supported languages

Create files in a temporary directory

Executable content was dropped or overwritten

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Creates files or folders in the user directory

Malware configuration

XWorm

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity