File name:

SNOSER BY VERXOVNIY.exe

Full analysis: https://app.any.run/tasks/c8d3bd3b-f47b-48f0-a762-ee0cf84c8834
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 21, 2024, 12:54:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
xworm
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D02AC0BF933FA9B48925886563E9CFFE

SHA1:

B0C0B25B52BD9A5FEF6105E38F44CA25EFAD5C58

SHA256:

DAEAD20BD02042549328A55D4DF51C2E8C4C4C4D25FF368DF1EF74B6D61BE3F9

SSDEEP:

3072:fHLhLfVEDyGA9E7RapUV0Q9c77PnuUR2+5sSrp86fpMgYTg0am96:Hyb9apUViPnur+7rpCgYVd9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • mudak.exe (PID: 6052)

    • Changes powershell execution policy (Bypass)

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • mudak.exe (PID: 6052)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 4444)
      • powershell.exe (PID: 2576)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 4292)
      • powershell.exe (PID: 6560)
      • powershell.exe (PID: 5468)
      • powershell.exe (PID: 4180)

    • Adds process to the Windows Defender exclusion list

      • mudak.exe (PID: 6052)

    • XWORM has been detected (YARA)

      • mudak.exe (PID: 6052)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SNOSER BY VERXOVNIY.exe (PID: 2936)
      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Reads the date of Windows installation

      • SNOSER BY VERXOVNIY.exe (PID: 2936)
      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Application launched itself

      • SNOSER BY VERXOVNIY.exe (PID: 2936)

    • Starts POWERSHELL.EXE for commands execution

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • mudak.exe (PID: 6052)

    • Executing commands from a ".bat" file

      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Starts CMD.EXE for commands execution

      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Script adds exclusion path to Windows Defender

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • mudak.exe (PID: 6052)

    • Executable content was dropped or overwritten

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • mudak.exe (PID: 6052)

    • Script adds exclusion process to Windows Defender

      • mudak.exe (PID: 6052)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Umb.exe (PID: 2648)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Umb.exe (PID: 2648)

  • INFO

    • Checks supported languages

      • SNOSER BY VERXOVNIY.exe (PID: 2936)
      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Process checks computer location settings

      • SNOSER BY VERXOVNIY.exe (PID: 2936)
      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • Reads the computer name

      • SNOSER BY VERXOVNIY.exe (PID: 2936)
      • SNOSER BY VERXOVNIY.exe (PID: 6500)

    • The process uses the downloaded file

      • SNOSER BY VERXOVNIY.exe (PID: 6500)
      • SNOSER BY VERXOVNIY.exe (PID: 2936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:19 13:33:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 150528
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x26bde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: SNOSER BY VERXOVNIY.exe
LegalCopyright:
OriginalFileName: SNOSER BY VERXOVNIY.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
28
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start snoser by verxovniy.exe no specs snoser by verxovniy.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #XWORM mudak.exe powershell.exe no specs conhost.exe no specs umb.exe powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe openwith.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\XELHER_V1.py'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSNOSER BY VERXOVNIY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2472"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
2576"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Umb.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSNOSER BY VERXOVNIY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2648"C:\Users\admin\AppData\Local\Temp\Umb.exe" C:\Users\admin\AppData\Local\Temp\Umb.exe
SNOSER BY VERXOVNIY.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1.0.0.0
2804C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
2812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2936"C:\Users\admin\AppData\Local\Temp\SNOSER BY VERXOVNIY.exe" C:\Users\admin\AppData\Local\Temp\SNOSER BY VERXOVNIY.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\snoser by verxovniy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2976C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\gg.bat" "C:\Windows\System32\cmd.exeSNOSER BY VERXOVNIY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
Total events
12 061
Read events
12 061
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
4444powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4zpvipvf.imo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6588powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:0E1981EFD7C068690CB2754A8C71BEEE
SHA256:0E0C9C76FBD59370FD63E242160649AF4CFB67697DB47FFD69BC1F3DD657F69D
6500SNOSER BY VERXOVNIY.exeC:\Users\admin\AppData\Local\Temp\gg.battext
MD5:50828F803457C02645EFFC166618FC1C
SHA256:B0482AACFC377074EFA5AF6C2217CC020A7A21A152D5B81F05F1A12131E06C0D
2576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ux5ski.l4m.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6500SNOSER BY VERXOVNIY.exeC:\Users\admin\AppData\Local\Temp\mudak.exeexecutable
MD5:185F3E5C34B376E6DB89851266ABFDD7
SHA256:70F6DFD0DB2CB30FDADB62E4BB814A36D144DECD55248CC09630ADF8D6DF27A0
644powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jtyloi3w.vfg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6500SNOSER BY VERXOVNIY.exeC:\Users\admin\AppData\Local\Temp\Umb.exeexecutable
MD5:91554551AC97B7D47AA4CED88780E366
SHA256:E2FCE8B181FB4772037DE20FB6644C951FC25B303CCF5987D31EAE2EB3E13128
644powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zmybyvyr.qfc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5468powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yqfx1bhi.zh0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6588powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wzb0q2ju.jje.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2648
Umb.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
6932
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3356
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6932
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.255:137
whitelisted
1848
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6932
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2648
Umb.exe
142.250.181.227:443
gstatic.com
GOOGLE
US
whitelisted
2648
Umb.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
gstatic.com
  • 142.250.181.227
whitelisted
ip-api.com
  • 208.95.112.1
shared
login.live.com
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
browser.pipe.aria.microsoft.com
  • 20.42.73.27
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2648
Umb.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2648
Umb.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SNOSER BY VERXOVNIY.exe