File name:	r8nj8f.secro671779420
Full analysis:	https://app.any.run/tasks/0fcc3b77-d626-47c4-9732-c895384ef1f6
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 21, 2025, 12:15:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ims-api generic evasion discord exfiltration stealer remote xworm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	923C01E71A0EDC6348FEF42A96232F4D
SHA1:	AC386FE76ED8448975EEEE75B6343EFD0E45A47E
SHA256:	C8925393C4FA911D438A5412A06AD0CE38289592C8B1FABCB2AD0D0E06D01205
SSDEEP:	6144:8PYzgBUTl4cqxGJnb8AnrjI8egUFIujqREJKq1Tr:8DBUZ4cqxGxtrjIKuUq1Tr

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:02:21 10:37:33+00:00
ImageFileCharacteristics:	Executable
PEType:	PE32
LinkerVersion:	8
CodeSize:	275456
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x453aa
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	DiscordNuker.exe
LegalCopyright:
OriginalFileName:	DiscordNuker.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2728) cmstp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:	write	Name:	DesktopShortcut
Value: 0
(PID) Process:	(3808) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:	write	Name:	ProfileInstallPath
Value: C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:	(5316) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

PID	Process	Filename		Type
364	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ula1lz0a.qsa.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5200	dasHost.exe	C:\Users\admin\Xspay		executable
		MD5:923C01E71A0EDC6348FEF42A96232F4D	SHA256:C8925393C4FA911D438A5412A06AD0CE38289592C8B1FABCB2AD0D0E06D01205
628	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ycnfoez5.x1l.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
628	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3il4by1o.bqi.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
364	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v1rz3hkv.fv5.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1144	r8nj8f.secro671779420.exe	C:\Windows\Temp\52rjn5pj.inf		text
		MD5:0ABC7D371102FEC21D455240C4B7FCDA	SHA256:DCA15298434247B659A18FC1F41874E59B07F8430EAE6F76A82F4DF474858BAF
4952	r8nj8f.secro671779420.exe	C:\ProgramData\dasHost.exe		executable
		MD5:923C01E71A0EDC6348FEF42A96232F4D	SHA256:C8925393C4FA911D438A5412A06AD0CE38289592C8B1FABCB2AD0D0E06D01205
628	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:12BB6DEECE5591424400110B6A55A9CE	SHA256:68272A01DF11446F4A5B4A4F31BC1CEBB5F6FCBF3666DBC2F5AAFA0C6E26331F
5200	dasHost.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xspay.lnk		binary
		MD5:0CFF738F6DA0EC2FFCA3C5339E99D83C	SHA256:ECB33F2E9F9FE3188C0CB6632030D1B3DF11582BEC3CBE6BF1D38E7F087F1F18
4952	r8nj8f.secro671779420.exe	C:\Users\admin\AppData\Local\Temp\tmp3883.tmp.bat		text
		MD5:C729EBC2E1DDF090A3CA3F81B0D94FF5	SHA256:8732E2102B11CE30B130FCCF265184819477866BFBEBAEA8F1A225D39A1E28F9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4952	r8nj8f.secro671779420.exe	GET	200	208.95.112.1:80	http://ip-api.com/csv/?fields=status,query	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
440	svchost.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
436	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
440	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	92.123.104.66:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	POST	204	162.159.128.233:443	https://discord.com/api/webhooks/1342444829509943359/VmEES51Exkdm2Sierq4CnqAraTeWAyI35xMLRjznkF8GXY9_D5Qje_cL5J_sHhnDeBVh	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
440	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
436	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.19.122.30:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
440	svchost.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
440	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
www.bing.com	2.19.122.30 2.19.122.20 2.19.122.21 2.19.122.32 2.19.122.25 2.19.122.22 2.19.122.28 2.19.122.23 2.19.122.26	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	95.101.54.128 95.101.54.122	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.136.232 162.159.138.232 162.159.135.232 162.159.137.232 162.159.128.233	whitelisted
25.ip.gl.ply.gg	147.185.221.25	malicious
self.events.data.microsoft.com	104.208.16.91	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4952	r8nj8f.secro671779420.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4952	r8nj8f.secro671779420.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
4952	r8nj8f.secro671779420.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
2192	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2192	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
5200	dasHost.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

r8nj8f.secro671779420

923C01E71A0EDC6348FEF42A96232F4D

AC386FE76ED8448975EEEE75B6343EFD0E45A47E

C8925393C4FA911D438A5412A06AD0CE38289592C8B1FABCB2AD0D0E06D01205

6144:8PYzgBUTl4cqxGJnb8AnrjI8egUFIujqREJKq1Tr:8DBUZ4cqxGxtrjIKuUq1Tr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Known privilege escalation attack

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Adds path to the Windows Defender exclusion list

Adds process to the Windows Defender exclusion list

Create files in the Startup directory

XWORM has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Possible usage of Discord/Telegram API has been detected (YARA)

Checks for external IP

Starts POWERSHELL.EXE for commands execution

The process connected to a server suspected of theft

Executes as Windows Service

Script adds exclusion path to Windows Defender

Script adds exclusion process to Windows Defender

Uses TASKKILL.EXE to kill process

Executable content was dropped or overwritten

The process creates files with name similar to system file names

The process executes via Task Scheduler

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Process checks computer location settings

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Checks transactions between databases Windows and Oracle

Reads Internet Explorer settings

Disables trace logs

Reads Environment values

Checks proxy server information

Reads the software policy settings

Creates files in the program directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Create files in a temporary directory

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules