File name:

e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0

Full analysis: https://app.any.run/tasks/07698e0e-3d65-44e5-b411-279257ff4ab5
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Analysis date: January 10, 2025, 22:56:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C184DC2506BAF6DB751EB377ED956D80

SHA1:

37DC77B864052992FC80B770A32DF7F98EA7AA0C

SHA256:

E57C95D15AA7D06D12BAD49C0AF668C72BE26072649E956B35A2EF575FDE0CC0

SSDEEP:

49152:xHlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZM:eAGQX21RBt7QjTmcaTH/vU4do9Pcjq1o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Create files in the Startup directory

      • Esher.exe (PID: 6524)
      • RegSvcs.exe (PID: 6740)
    • XWORM has been detected (YARA)

      • RegSvcs.exe (PID: 6740)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • RegSvcs.exe (PID: 6740)
    • Starts itself from another location

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 6740)
    • Connects to unusual port

      • RegSvcs.exe (PID: 6740)
  • INFO

    • Reads the machine GUID from the registry

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • RegSvcs.exe (PID: 6740)
    • Reads mouse settings

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • Esher.exe (PID: 6524)
    • Checks supported languages

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • Esher.exe (PID: 6524)
      • RegSvcs.exe (PID: 6740)
    • The sample compiled with english language support

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • RegSvcs.exe (PID: 6740)
    • Create files in a temporary directory

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • Esher.exe (PID: 6524)
    • Creates files or folders in the user directory

      • e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe (PID: 6340)
      • Esher.exe (PID: 6524)
      • RegSvcs.exe (PID: 6740)
    • Reads the computer name

      • RegSvcs.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6740) RegSvcs.exe
C287.120.120.15:31952
Keys
AEShttp://exmple.com/Uploader.php
Options
SplitterUSB.exe
USB drop name<123456789>
Mutex<Xwormmm>
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:11 00:34:09+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581120
InitializedDataSize: 388096
UninitializedDataSize: -
EntryPoint: 0x27dcd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe esher.exe #XWORM regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
6340"C:\Users\admin\AppData\Local\Temp\e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe" C:\Users\admin\AppData\Local\Temp\e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6524"C:\Users\admin\AppData\Local\Temp\e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe" C:\Users\admin\AppData\Local\lustring\Esher.exe
e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\lustring\esher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6740"C:\Users\admin\AppData\Local\Temp\e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Esher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
XWorm
(PID) Process(6740) RegSvcs.exe
C287.120.120.15:31952
Keys
AEShttp://exmple.com/Uploader.php
Options
SplitterUSB.exe
USB drop name<123456789>
Mutex<Xwormmm>
Total events
289
Read events
289
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exeC:\Users\admin\AppData\Local\Temp\Allenebinary
MD5:74F38115E57845CCDDC6EF0E818727B2
SHA256:2628D26F119028795D3D1D4CFB42DF56AB1546D81B041396481F7558CD6B13DB
6340e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exeC:\Users\admin\AppData\Local\Temp\aut548C.tmpbinary
MD5:6E3B8B2D0D553136D0E236D22FAE481C
SHA256:B38F85C37889CABDAFF2E97F31E8487A65B4AA6AF83678425FFEF06B9634567C
6740RegSvcs.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exeexecutable
MD5:6279D136310C22894F605938B4CB93D8
SHA256:FB7D514B3322810463655473D2D7C704D3405C1C9DD81F0D4D423518EF416987
6340e57c95d15aa7d06d12bad49c0af668c72be26072649e956b35a2ef575fde0cc0.exeC:\Users\admin\AppData\Local\lustring\Esher.exeexecutable
MD5:C184DC2506BAF6DB751EB377ED956D80
SHA256:E57C95D15AA7D06D12BAD49C0AF668C72BE26072649E956B35A2EF575FDE0CC0
6524Esher.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Esher.vbsbinary
MD5:D01BD14400D4C84C36BEB109048BFC17
SHA256:06B28C482CB284B9BF6DA005D86EEB8692909D7AC625C1BD258807AAB04D4AAB
6524Esher.exeC:\Users\admin\AppData\Local\Temp\aut5CAA.tmpbinary
MD5:6E3B8B2D0D553136D0E236D22FAE481C
SHA256:B38F85C37889CABDAFF2E97F31E8487A65B4AA6AF83678425FFEF06B9634567C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
117
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
304
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1828
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1828
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3508
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.145
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info