File name:	loader.exe
Full analysis:	https://app.any.run/tasks/02ba3989-931c-4213-a9cb-7494145a0fe0
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 09:21:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github remote xworm loader amsi-bypass
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	0A3CAA24FAAC73876ACBDCA11B6CDA57
SHA1:	FA619ABF5C6F84598B500152A19D64EE4FBCD6D4
SHA256:	C301D8C10990B7AC7804C3ED68F9E52682722507E950E6BC83B2796F5170449A
SSDEEP:	6144:q7ZpPCYXxQhzP92Yy5ax8ZZCHd4OBCUQlP:q7Zp68Yzl2rGP9MlP

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

AssemblyVersion:	1.0.0.0
ProductVersion:	1.0.0.0
OriginalFileName:	loader.exe
LegalCopyright:
InternalName:	loader.exe
FileVersion:	1.0.0.0
FileDescription:
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x45722
UninitializedDataSize:	-
InitializedDataSize:	2048
CodeSize:	276480
LinkerVersion:	8
PEType:	PE32
ImageFileCharacteristics:	Executable
TimeStamp:	2024:12:14 08:54:39+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(5464) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5464) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5464) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4444) $77loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

PID	Process	Filename		Type
3808	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_ceb40nao.hvj.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3808	powershell.exe	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:CFBBFED8A5647BA457DD1115F529084B	SHA256:ED48AA62426EFAFB55329EEDEBAF36AAFC4DCD78B4AF94FCB873835D6D93A8B1
3808	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_glzb4aes.53r.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5zw1ynok.t1z.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kfdvz24l.a4t.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172	powershell.exe	C:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exe		executable
		MD5:A11F28D78A308270DEFB227A3927C5B5	SHA256:2C48AD9CA24D85EB94B5EBF78FCEBE9CF36F373AD0DADFC3228BE333184C8DFD
4444	$77loader.exe	C:\Users\admin\AppData\Local\Temp\c.cmd		text
		MD5:527AB64BE48A2EEB866CC39ADF8D7881	SHA256:1A6AB31585C11C81A56F1202733AE149EF0DAFE9AED12FD915D0323C8C49D2C6
4996	loader.exe	C:\ProgramData\$77loader.exe		executable
		MD5:0A3CAA24FAAC73876ACBDCA11B6CDA57	SHA256:C301D8C10990B7AC7804C3ED68F9E52682722507E950E6BC83B2796F5170449A
3172	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:33DE27C8DCC88FC3DB33B429DB60C7D5	SHA256:708AE655B44F33D7DCD06BC681E15BD4D8E9C37226D62D38FF8F51FF0EB714E3
3172	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:3DA3928504E4700E10125826FBD71D9E	SHA256:2289D0D93C2D1101E0ABAC2969C35D0B6FF1C06F10BDF6C729F263A47123BFC4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
716	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	104.21.64.1:443	https://anonsharing.com/194e218797374600/Install.exe?download_token=b6b3a4a745f25b55991fca3ba3961a2649d56421b8d02347c4c611e9bbc845b5	unknown	html	2.08 Kb	—
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/43a1723/test22/refs/heads/main/payload	unknown	text	1.08 Kb	—
—	—	GET	200	75.2.60.5:443	https://s3.ca-central-1.wasabisys.com/anonsharing/dd/dd9433c2464cd566c5237a2ff4c9595f?response-content-disposition=filename%3DInstall.exe&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20241214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241214T092153Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=c4ca52e105d4329377a3e28ee139b0f402b05e9e86366a3c8bcbd9a1bf93a36f	unknown	executable	161 Kb	whitelisted
—	—	GET	302	104.21.80.1:443	https://anonsharing.com/file/194e218797374600/Install.exe	unknown	html	774 b	—
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Ip	unknown	text	21 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
716	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.154:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
716	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
716	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
716	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
www.bing.com	104.126.37.154 104.126.37.171 104.126.37.123 104.126.37.139 104.126.37.128 104.126.37.130 104.126.37.152 104.126.37.155 104.126.37.153	whitelisted
google.com	172.217.18.110	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.110.133 185.199.109.133 185.199.108.133	shared
anonsharing.com	104.21.80.1 104.21.16.1 104.21.112.1 104.21.32.1 104.21.96.1 104.21.48.1 104.21.64.1	unknown
s3.ca-central-1.wasabisys.com	38.143.146.103 38.143.146.100 38.143.146.102 38.143.146.101	whitelisted
self.events.data.microsoft.com	13.89.179.8	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet
—	—	Misc activity	ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup
—	—	Misc activity	ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in TLS SNI

General Info

loader.exe

0A3CAA24FAAC73876ACBDCA11B6CDA57

FA619ABF5C6F84598B500152A19D64EE4FBCD6D4

C301D8C10990B7AC7804C3ED68F9E52682722507E950E6BC83B2796F5170449A

6144:q7ZpPCYXxQhzP92Yy5ax8ZZCHd4OBCUQlP:q7Zp68Yzl2rGP9MlP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XWORM has been detected (YARA)

Application was injected by another process

Runs injected code in another process

XWORM has been detected (SURICATA)

Dynamically loads an assembly (POWERSHELL)

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Reads security settings of Internet Explorer

The process executes via Task Scheduler

Reads the date of Windows installation

Possibly malicious use of IEX has been detected

Starts POWERSHELL.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Connects to unusual port

Invokes assembly entry point (POWERSHELL)

Possibly patching Antimalware Scan Interface function (YARA)

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

Creates files in the program directory

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

The process uses the downloaded file

Process checks computer location settings

Reads the software policy settings

Script raised an exception (POWERSHELL)

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Disables trace logs

Uses string replace method (POWERSHELL)

Reads Internet Explorer settings

Reads Environment values

Gets or sets the time when the file was last written to (POWERSHELL)

Uses string split method (POWERSHELL)

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules