File name:	Voucherdereserva_21_06_2025_64565665_54462653202546.js
Full analysis:	https://app.any.run/tasks/fd5d1c51-de7b-49ca-a51e-e3081307618f
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 22:39:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	payload loader reverseloader auto-startup susp-powershell xworm
Indicators:
MIME:	application/javascript
File info:	JavaScript source, Unicode text, UTF-8 text, with CRLF line terminators
MD5:	806C7A5FDFF78B2FF0685B46E3589B3F
SHA1:	270BC6F7408DEC345BC81C128293E7994B285513
SHA256:	E5258678C7718C6B2E87242536B3FE038B74C01997628AD5CCE5C10A78F5DC6B
SSDEEP:	768:J4eQrqp4wv4zQ5sVdtwkscb09T9Y8VQQf522KK:J4i4NzQ6VyYi/f5RKK


(PID) Process:	(3864) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 3E70170000000000

PID	Process	Filename		Type
1296	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0qe1oh2u.3vj.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4196	MSBuild.exe	C:\Users\admin\AppData\Local\windows.exe		executable
		MD5:9F331A11A054F33664FE86543FC34CF0	SHA256:5F9AF68DB10B029453264CFC9B8EEE4265549A2855BB79668CCFC571FB11F5FC
4196	MSBuild.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.lnk		binary
		MD5:335AC9BA711217DB1C69C379E87008CC	SHA256:9A8A564694D05133F9683E31AFFCBBD4541878D1B8A2D1CFCD40782F06081305
1296	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ebprgp0c.qix.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1296	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:95B2D26752E12F46BD133119C1A17470	SHA256:9B9C1FD0000B323DAA14FDCCC1D9DCED12E52FD3A9E0285686B7F2CFDABBB841

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3864	wscript.exe	GET	301	23.186.113.60:80	http://paste.ee/d/fA8AjeRa/0	unknown	—	—	shared
—	—	GET	200	23.186.113.60:443	https://paste.ee/d/fA8AjeRa/0	unknown	binary	42.4 Kb	shared
1268	svchost.exe	GET	200	184.24.77.23:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.23:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3676	RUXIMICS.exe	GET	200	184.24.77.23:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3676	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.65:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	GET	302	207.241.224.2:443	https://archive.org/download/wp4096799-lost-in-space-wallpapers_20250621_1447/wp4096799-lost-in-space-wallpapers.jpg	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3676	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3864	wscript.exe	23.186.113.60:80	paste.ee	—	—	shared
3864	wscript.exe	23.186.113.60:443	paste.ee	—	—	shared
5944	MoUsoCoreWorker.exe	184.24.77.23:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.24.77.23:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3676	RUXIMICS.exe	184.24.77.23:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
paste.ee	23.186.113.60	shared
crl.microsoft.com	184.24.77.23 184.24.77.42 184.24.77.6 184.24.77.38 184.24.77.11 184.24.77.30 184.24.77.35 184.24.77.34	whitelisted
www.microsoft.com	95.101.149.131 23.35.229.160	whitelisted
login.live.com	20.190.160.128 20.190.160.22 20.190.160.66 20.190.160.14 20.190.160.132 40.126.32.72 40.126.32.74 40.126.32.134	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
archive.org	207.241.224.2	whitelisted
dn721503.ca.archive.org	204.62.247.1	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
3864	wscript.exe	Potential Corporate Privacy Violation	ET INFO Pastebin-style Service (paste .ee) in TLS SNI
—	—	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] VBS is used to run Shell
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1296	powershell.exe	Potential Corporate Privacy Violation	ET INFO Pastebin-style Service (paste .ee) in TLS SNI
—	—	Potentially Bad Traffic	PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2
—	—	A Network Trojan was detected	ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

General Info

Voucherdereserva_21_06_2025_64565665_54462653202546.js

806C7A5FDFF78B2FF0685B46E3589B3F

270BC6F7408DEC345BC81C128293E7994B285513

E5258678C7718C6B2E87242536B3FE038B74C01997628AD5CCE5C10A78F5DC6B

768:J4eQrqp4wv4zQ5sVdtwkscb09T9Y8VQQf522KK:J4i4NzQ6VyYi/f5RKK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates internet connection object (SCRIPT)

Opens an HTTP connection (SCRIPT)

Sends HTTP request (SCRIPT)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Changes powershell execution policy (Bypass)

Downloads the requested resource (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

Create files in the Startup directory

XWORM has been detected (YARA)

SUSPICIOUS

Potential Corporate Privacy Violation

Starts POWERSHELL.EXE for commands execution

Runs shell command (SCRIPT)

Possibly malicious use of IEX has been detected

The process bypasses the loading of PowerShell profile settings

Uses base64 encoding (POWERSHELL)

Writes data to a memory stream (POWERSHELL)

Converts a specified value to an integer (POWERSHELL)

Process drops legitimate windows executable

Connects to unusual port

Executable content was dropped or overwritten

INFO

Self-termination (SCRIPT)

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded spyware-related PowerShell classes (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Checks supported languages

Uses string replace method (POWERSHELL)

Disables trace logs

Checks proxy server information

Gets data length (POWERSHELL)

Found Base64 encoded access to BitConverter class via PowerShell (YARA)

The sample compiled with english language support

Launching a file from the Startup directory

Reads the software policy settings

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Malware configuration

XWorm

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests