Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Overview

General Information

Sample name:	17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe
Analysis ID:	1578606
MD5:	a415ad882030ab58b145cb02953d26ce
SHA1:	194000e48d07889ab77cd856d1f601413d13db99
SHA256:	e6ab65e7dcf0aabce0cf14be44dd70e7b8a1eaae1471e81b9a1144f000391463
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

XWorm

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

×

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["recovery.work.gd"], "Port": 1999, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a87:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7b24:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7c39:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x78c0:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["recovery.work.gd"], "Port": 1999, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: recovery.work.gd
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: 1999
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: <123456789>
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: Primas_24
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: USB.exe
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: %LocalAppData%
Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	String decryptor: notepad.exe

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: recovery.work.gd

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

String found in binary or memory: https://rentry.co/8wum7vax/raw

System Summary

Malicious sample detected (through community Yara rule)

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe, type: SAMPLE

Matched rule: Detects AsyncRAT Author: ditekSHen

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Binary or memory string: OriginalFilenameXClient.exe4 vs 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe, type: SAMPLE

Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal84.troj.winEXE@0/0@0/0

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

ReversingLabs: Detection: 50%

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match

File source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected XWorm

Source: Yara match

File source: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	50%	ReversingLabs	Win32.Backdoor.XWormRAT
17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
recovery.work.gd	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://rentry.co/8wum7vax/raw	17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578606
Start date and time:	2024-12-19 23:30:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe
Detection:	MAL
Classification:	mal84.troj.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
VT rate limit hit for: 17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	1734647108c2d815e9b224b58a4453e937ebbee326356eaa9618758f1ee8f3e412a78fcc82730.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe	Get hash	malicious	Quasar	Browse	13.107.246.63
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	13.107.246.63
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	13.107.246.63
	dz6dQWx0DD.dll	Get hash	malicious	Nitol	Browse	13.107.246.63
	Eallentoff_401k_1484013830.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	INVOICE-0098.pdf ... .lnk.lnk.d.lnk	Get hash	malicious	Unknown	Browse	13.107.246.63
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	13.107.246.63

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.60402165942935
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe
File size:	37'218 bytes
MD5:	a415ad882030ab58b145cb02953d26ce
SHA1:	194000e48d07889ab77cd856d1f601413d13db99
SHA256:	e6ab65e7dcf0aabce0cf14be44dd70e7b8a1eaae1471e81b9a1144f000391463
SHA512:	06641656e1594fd7f77c0d345261a6c6dfb83f14a32d034cf27cf3305747b6e0edb77d35d6f4d5aee1e56ef79d4740129081c4abac9afffc5dcb06bd84f2d0a3
SSDEEP:	768:OoEZDEXo4pg4uaksIq1VFyj9bVOOlhXywa:OoEZDEXoVaksIqTFc9bVOOllZa
TLSH:	14F24B0877D44722D5ED5FF56AB3A1024679F6078823EB5F4CD884DA2B337D28A023E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.Pg................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a50e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6750BD76 [Wed Dec 4 20:37:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add dword ptr [ebp-7DEDE2EEh], 051D1261h
pop es
add cl, byte ptr [esi]
sbb eax, 07070E1Ch
sbb eax, 82120E05h
cmp eax, 08054112h
sbb eax, 02200905h
adc al, byte ptr [eax-7DEEF12Bh]
jno 00007FCC607E159Ah
and byte ptr [ebx], al
add dword ptr [esi], ecx
sbb al, 11h
xor byte ptr [ebp+09h], 00000007h
add eax, dword ptr [edx]
adc al, byte ptr [eax-667FED2Bh]
push es
and byte ptr [ecx], al
adc al, byte ptr [eax+070B0ED5h]
add al, 1Dh
add eax, 1CD58012h
adc al, byte ptr [eax+02000699h]
or byte ptr [00040805h], bl
add dword ptr [eax], ecx
sbb al, 10h
pop es
or dword ptr [1D1C1C05h], ebx
add eax, 1C1D1C1Ch
sbb eax, 05021D1Ch
add byte ptr [ecx], al
sbb eax, 070D0805h
pop es
sbb eax, 1C1C1C05h
sbb eax, 1D1C1D1Ch
add dl, byte ptr [edx]
pop es
push es
adc al, byte ptr [edx+12051D35h]
cmp byte ptr [8212051Dh], 00000039h
adc al, byte ptr [eax+03200799h]
add dword ptr [edx], eax
push cs
adc byte ptr [edx], al
add al, 07h
add al, byte ptr [edx]
add al, byte ptr [esi]
and byte ptr [ecx], al
add dword ptr [ecx], edx
add byte ptr [ecx+01080801h], 00000000h
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ds
add dword ptr [eax], eax
add dword ptr [eax], eax
push esp
add dl, byte ptr [esi]
push edi
jc 00007FCC607E15F3h
jo 00007FCC607E15E0h
outsd
outsb
inc ebp
js 00007FCC607E15F5h
jo 00007FCC607E1607h
imul ebp, dword ptr [edi+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa4bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8514	0x8600	1cca0d2881e14144bf20bfc3c9485d4e	False	0.4981926305970149	data	5.769016579086216	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	4a1fa6a8f336d577d96569112413936b	False	0.4036458333333333	data	3.796137077828513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	9d7c92dfc6b979c918fc7d5b05577cb7	False	0.140625	data	1.003267243218549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 23:31:56.847624063 CET	1.1.1.1	192.168.2.11	0xe9af	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 23:31:56.847624063 CET	1.1.1.1	192.168.2.11	0xe9af	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly