Edit tour

Windows Analysis Report
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Overview

General Information

Sample name:	1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Analysis ID:	1391068
MD5:	1068f15bcb0132a138ad6496f58ad7d4
SHA1:	0035aa784e6f052a384ea044662b5256765aa0fa
SHA256:	333f2437106696b8daea10f30724be9b226fb4db1e9f967757fb14f7c8f41511
Tags:	base64-decodedexe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe (PID: 7516 cmdline: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe MD5: 1068F15BCB0132A138AD6496F58AD7D4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwv5group7001.duckdns.org"], "Port": "7001", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d70:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ec4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7076:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b70:$cnc4: POST / HTTP/1.1
00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe PID: 7516	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d70:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 163.172.59.233 - Destination IP: 192.168.2.4

Timestamp:	163.172.59.233192.168.2.47001497292852870 02/12/24-20:15:13.583849
SID:	2852870
Source Port:	7001
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 163.172.59.233

Timestamp:	192.168.2.4163.172.59.2334972970012855924 02/12/24-20:15:11.927004
SID:	2855924
Source Port:	49729
Destination Port:	7001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 163.172.59.233 - Destination IP: 192.168.2.4

Timestamp:	163.172.59.233192.168.2.47001497292852874 02/12/24-20:15:13.583849
SID:	2852874
Source Port:	7001
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["xwv5group7001.duckdns.org"], "Port": "7001", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for submitted file

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

ReversingLabs: Detection: 76%

Machine Learning detection for sample

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Joe Sandbox ML: detected

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49729 -> 163.172.59.233:7001
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 163.172.59.233:7001 -> 192.168.2.4:49729
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 163.172.59.233:7001 -> 192.168.2.4:49729

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwv5group7001.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: xwv5group7001.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 163.172.59.233:7001

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: xwv5group7001.duckdns.org

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Code function: 0_2_00007FFD9B8A6316	0_2_00007FFD9B8A6316
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Code function: 0_2_00007FFD9B8A9A8D	0_2_00007FFD9B8A9A8D
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Code function: 0_2_00007FFD9B8A70C2	0_2_00007FFD9B8A70C2

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewXClient.exe7001.exe4 vs 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Binary or memory string: OriginalFilenameNewXClient.exe7001.exe4 vs 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\mrkh245537gVoEKF

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Code function: 0_2_00007FFD9B8A167D push ebx; retf

0_2_00007FFD9B8A16AA

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Memory allocated: F30000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Window / User API: threadDelayed 8710			Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	Window / User API: threadDelayed 1136			Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe TID: 7620	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe TID: 7624	Thread sleep count: 8710 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe TID: 7624	Thread sleep count: 1136 > 30	Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4111143309.000000001BA10000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4109445202.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4111143309.000000001BA10000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe PID: 7516, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe PID: 7516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	100%	Avira	TR/Spy.Gen
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
xwv5group7001.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xwv5group7001.duckdns.org	163.172.59.233	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xwv5group7001.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.172.59.233	xwv5group7001.duckdns.org	United Kingdom		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391068
Start date and time:	2024-02-12 20:14:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
20:14:58	API Interceptor	11941236x Sleep call for process: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
163.172.59.233	screen_shots.vbs	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xwv5group7001.duckdns.org	screen_shots.vbs	Get hash	malicious	XWorm	Browse	163.172.59.233
	IMG-662466100.vbs	Get hash	malicious	XWorm	Browse	91.92.251.144
	IMG5527735001.vbs	Get hash	malicious	XWorm	Browse	91.92.251.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	screen_shots.vbs	Get hash	malicious	XWorm	Browse	163.172.59.233
	OXnFrFdLpC.elf	Get hash	malicious	Unknown	Browse	51.158.220.13
	fnKtfdi0P0.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	62.210.123.24
	ccQGH1mKws.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	62.210.105.46
	IIBXMzS0zN.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	163.172.182.26
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	163.172.68.222
	7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e_dump.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	62.210.83.207
	file.exe	Get hash	malicious	PureLog Stealer	Browse	51.15.150.228
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	62.210.105.46
	zbnq9rGNLi.exe	Get hash	malicious	LummaC, CryptOne, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	51.15.142.0

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.556242328642917
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
File size:	34'816 bytes
MD5:	1068f15bcb0132a138ad6496f58ad7d4
SHA1:	0035aa784e6f052a384ea044662b5256765aa0fa
SHA256:	333f2437106696b8daea10f30724be9b226fb4db1e9f967757fb14f7c8f41511
SHA512:	c8044248cab9af5653f878e553d3d3ff334a013a2510f68b2bd210c6dad429b5b36a4626f1b8df82f3b28bf9dde48e1fa7ff95aa248c65ff2ea702c29da770b4
SSDEEP:	768:n4fK1pDGkptwyZScCBSUapNgqN5U/kZl+Bcgo5tlTF592SO9hDdRk:XDGkptwyZScCkU4r3UsZcB5o5HF592S/
TLSH:	CAF24B087FE4832ACAFE2BF529F2651512B4D503EA13D75E18D845AA6F37BC08D013E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.e.................~............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x409bfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CA3C9F [Mon Feb 12 15:43:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9bb0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x508	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c04	0x7e00	e6c45a06631ee230f1ba31853c59127c	False	0.49618675595238093	data	5.6954176144457405	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x508	0x600	51c4dbf4c7e061764d23c0c993d67624	False	0.3815104166666667	data	3.8012642701241415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	064217dac52cd36d16d6abd04b448fd6	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x274	data			0.45222929936305734
RT_MANIFEST	0xa318	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
163.172.59.233192.168.2.47001497292852870 02/12/24-20:15:13.583849	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7001	49729	163.172.59.233	192.168.2.4
192.168.2.4163.172.59.2334972970012855924 02/12/24-20:15:11.927004	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49729	7001	192.168.2.4	163.172.59.233
163.172.59.233192.168.2.47001497292852874 02/12/24-20:15:13.583849	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7001	49729	163.172.59.233	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2024 20:14:59.398528099 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:14:59.593719959 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:14:59.594021082 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:14:59.831568003 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:00.082015991 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:11.927004099 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:12.175095081 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:13.583848953 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:13.632057905 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:23.476512909 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:23.721527100 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:35.039427996 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:35.283682108 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:43.580962896 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:43.632056952 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:47.202920914 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:47.455503941 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:15:58.773153067 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:15:59.017877102 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:08.851119995 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:09.111768007 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:13.605781078 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:13.647845030 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:16.981030941 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:17.236157894 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:17.236531019 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:17.486686945 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:19.627095938 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:19.870927095 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:19.872292042 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:20.117151022 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:31.226370096 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:31.470310926 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:32.245064020 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:32.489065886 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:32.715352058 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:32.970344067 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:34.916084051 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:35.173094988 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:35.317951918 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:35.563738108 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:39.726634979 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:39.970236063 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:40.335484028 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:40.579404116 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:43.264750957 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:43.517007113 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:43.550774097 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:43.757249117 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:44.197125912 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:44.440828085 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:48.002635002 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:48.250797033 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:48.250874043 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:48.501280069 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:48.501528978 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:48.744636059 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:16:49.352322102 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:16:49.610830069 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:00.913755894 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:01.157757044 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:01.158009052 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:01.407311916 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:02.759793043 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:03.009749889 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:04.111289024 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:04.355923891 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:04.609102964 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:04.853872061 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:05.211179018 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:05.469875097 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:05.742007971 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:05.985985041 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:06.089765072 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:06.342925072 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:08.083559036 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:08.327713966 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:08.875215054 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:09.125741005 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:13.581769943 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:13.614607096 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:13.826932907 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:13.827069044 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:14.072165012 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:14.274796963 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:14.519398928 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:15.415687084 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:15.672426939 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:15.672648907 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:15.922257900 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:17.116836071 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:17.359702110 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:19.075427055 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:19.328888893 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:19.445154905 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:19.688477039 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:19.688688040 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:19.933079958 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:21.921469927 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:22.172533989 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:23.354917049 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:23.609405041 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:23.719242096 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:23.968950987 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:27.172976017 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:27.415915012 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:28.076307058 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:28.328609943 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:39.632548094 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:39.876692057 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:41.026793003 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:41.265499115 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:41.265610933 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:41.515711069 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:42.182226896 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:42.437721014 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:42.774013042 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:43.016206026 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:43.578141928 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:43.647851944 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:53.335553885 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:53.576642036 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:53.576738119 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:53.828351021 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:54.208157063 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:54.446793079 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:54.446860075 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:54.690542936 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:54.690618038 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:54.937048912 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:54.937138081 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:55.186963081 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:55.187135935 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:55.431056976 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:55.431159019 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:55.681109905 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:55.681165934 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:55.925081015 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:56.217324018 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:56.461718082 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:17:57.663657904 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:17:57.905941010 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:00.899684906 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:01.155641079 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:01.155720949 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:01.406059980 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:01.504266024 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:01.748342037 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:03.737623930 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:03.983798981 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:03.983961105 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:04.233964920 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:05.241780996 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:05.499340057 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:05.515141964 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:05.764919996 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:05.765000105 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:06.016283035 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:09.666337013 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:09.921463013 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:09.921523094 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:10.169147968 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:12.081464052 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:12.327929974 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:13.132510900 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:13.389523983 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:13.577632904 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:13.741533041 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:17.413856030 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:17.655471087 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:18.417850018 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:18.671123028 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:18.987684965 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:19.233388901 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:21.271927118 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:21.518860102 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:21.518969059 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:21.780193090 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:22.362823963 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:22.608805895 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:23.517971992 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:23.780823946 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:25.781450033 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:26.025492907 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:26.358563900 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:26.602850914 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:30.899945974 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:31.155565023 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:31.675088882 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:31.919181108 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:36.749094963 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:36.997440100 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:37.982665062 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:38.227806091 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:38.227991104 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:38.482291937 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:38.920722961 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:39.164184093 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:39.675082922 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:39.920417070 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:39.920592070 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:40.164241076 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:40.164401054 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:40.404691935 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:40.404802084 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:40.654690981 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:41.698575020 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:41.952285051 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:42.840876102 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:43.092520952 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:43.549913883 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:43.741751909 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:45.108381033 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:45.358043909 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:46.862541914 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:47.108242989 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:48.419641018 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:48.670068026 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:49.750547886 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:49.991770029 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:51.519524097 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:51.763278961 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:52.057960033 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:52.310497999 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:52.310585022 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:52.560535908 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:52.960608959 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:53.217109919 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:53.217195988 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:53.467617035 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:53.467731953 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:53.716921091 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:54.539704084 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:54.789221048 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:56.750377893 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:56.992077112 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:57.287123919 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:57.545614004 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:18:59.694678068 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:18:59.935575962 CET	7001	49729	163.172.59.233	192.168.2.4
Feb 12, 2024 20:19:00.714211941 CET	49729	7001	192.168.2.4	163.172.59.233
Feb 12, 2024 20:19:00.967175961 CET	7001	49729	163.172.59.233	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2024 20:14:59.238491058 CET	50682	53	192.168.2.4	1.1.1.1
Feb 12, 2024 20:14:59.389633894 CET	53	50682	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 12, 2024 20:14:59.238491058 CET	192.168.2.4	1.1.1.1	0xdb8b	Standard query (0)	xwv5group7001.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 12, 2024 20:14:59.389633894 CET	1.1.1.1	192.168.2.4	0xdb8b	No error (0)	xwv5group7001.duckdns.org		163.172.59.233	A (IP address)	IN (0x0001)	false

Analysis Process: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exePID: 7516, Parent PID: 2580

General

Target ID:	0
Start time:	20:14:54
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Imagebase:	0x6f0000
File size:	34'816 bytes
MD5 hash:	1068F15BCB0132A138AD6496F58AD7D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exePID: 7516, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8A9A8D Relevance: .8, Instructions: 831
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4111659705.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb0ff278ca1519aaa8ada4a53ae40c66bc88e2f27a6b0903dc55878750df6fc
Instruction ID: 5c8b2bc842b6cf2cc6e2fa2c14234f815396a9c35712db188e2c52339429dc40
Opcode Fuzzy Hash: acb0ff278ca1519aaa8ada4a53ae40c66bc88e2f27a6b0903dc55878750df6fc
Instruction Fuzzy Hash: 3F42A130B1C90E8FEBA4EB788469A7977D2EF98310B514579D01DD32E6DE39ED428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A6316 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4111659705.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6cbd706efaa35e1e304f6b89a564abc368fbd4dea22a90096dc5cc3d62034b
Instruction ID: 89493306ef7b117bf7b5077fb2569afaeeab3694fc6fa584b9b37e243a070c4f
Opcode Fuzzy Hash: 5f6cbd706efaa35e1e304f6b89a564abc368fbd4dea22a90096dc5cc3d62034b
Instruction Fuzzy Hash: 07F1A570A09A8D8FEBA8DF28C855BE937E1FF59310F04426EE84DC7295DF3499458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A70C2 Relevance: .5, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4111659705.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee201a93a3bf6004ee5b4edfb716a3392b905dee23cfd8ca64c6e91de97b59f0
Instruction ID: 3b29e5abba2618f8dfe85b61ce9927616881aba31fb4be7df05af464b208e268
Opcode Fuzzy Hash: ee201a93a3bf6004ee5b4edfb716a3392b905dee23cfd8ca64c6e91de97b59f0
Instruction Fuzzy Hash: 21E1E530A09A4E8FEBA8DF68C8657E937D1FF58310F05426EE84DC72A1DF7499418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1BB8 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B8A1C81

Memory Dump Source

Source File: 00000000.00000002.4111659705.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a9.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8b3dfe776df88cc81e2dc160a3a101f8d35fd1fe3fed2bfacf3c5c9446a91da9
Instruction ID: b08b59d40f4ac0ee992b4e3bebaea6aadd0221c564167ce28c014efce15d131d
Opcode Fuzzy Hash: 8b3dfe776df88cc81e2dc160a3a101f8d35fd1fe3fed2bfacf3c5c9446a91da9
Instruction Fuzzy Hash: 8441F630A1CA5D8FDB18EF6898166F97BE1EB5A321F10027ED059C3292DE64A852C791

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Function 00007FFD9B8A9A8D Relevance: .8, Instructions: 831
COMMON

Function 00007FFD9B8A6316 Relevance: .5, Instructions: 477
COMMON

Function 00007FFD9B8A70C2 Relevance: .5, Instructions: 463
COMMON

Function 00007FFD9B8A1BB8 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON