Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample Name:	XClient.exe
Analysis ID:	869012
MD5:	25a16f364fa103d6d2ab254065bfe2d2
SHA1:	1759fb535c7514d063d12e3687856507d7ec9bc7
SHA256:	2698fb5c3c46ef781958f43e418e2a193b97b3d09900678650ba2190c1cea15e
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected XWorm

Multi AV Scanner detection for domain / URL

Yara detected Generic Downloader

.NET source code contains method to dynamically call methods (often used by packers)

Contains functionality to capture screen (.Net source)

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

May check the online IP address of the machine

.NET source code contains potential unpacker

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

Checks if the current process is being debugged

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Enables debug privileges

Classification

Process Tree

System is w10x64

XClient.exe (PID: 7016 cmdline: C:\Users\user\Desktop\XClient.exe MD5: 25A16F364FA103D6D2AB254065BFE2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/ https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{
  "C2 url": "even-house.at.ply.gg",
  "Port": "40766",
  "Aes key": "<123456789>",
  "Install file": "USB.exe"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc678:$s6: VirtualBox 0xc5d6:$s8: Win32_ComputerSystem 0xdf7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe019:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe12e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd328:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc478:$s6: VirtualBox 0xc3d6:$s8: Win32_ComputerSystem 0xdd7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xde19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xdf2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd128:$cnc4: POST / HTTP/1.1
Process Memory Space: XClient.exe PID: 7016	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.XClient.exe.8b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.XClient.exe.8b0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.XClient.exe.8b0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc678:$s6: VirtualBox 0xc5d6:$s8: Win32_ComputerSystem 0xdf7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe019:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe12e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd328:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XClient.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.654685537.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": "even-house.at.ply.gg", "Port": "40766", "Aes key": "<123456789>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: XClient.exe	ReversingLabs: Detection: 75%
Source: XClient.exe	Virustotal: Detection: 74%			Perma Link

Antivirus detection for URL or domain

Source: even-house.at.ply.gg

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: even-house.at.ply.gg

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for sample

Source: XClient.exe

Joe Sandbox ML: detected

Source: XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.8b0000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: even-house.at.ply.gg

May check the online IP address of the machine

Source: C:\Users\user\Desktop\XClient.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.654685537.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: XClient.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comx
Source: XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: xbYU61LaTe5gz6268VCTlrizEDql9NK37HA
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: xbYU61LaTe5gz6268VCTlrizEDql9NK37HA

System Summary

Malicious sample detected (through community Yara rule)

Source: XClient.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.XClient.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XClient.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.XClient.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XClient.exe, 00000000.00000002.654495766.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs XClient.exe

Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FF9A58810A9	0_2_00007FF9A58810A9
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FF9A58868C2	0_2_00007FF9A58868C2
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FF9A5885706	0_2_00007FF9A5885706
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FF9A5880CAA	0_2_00007FF9A5880CAA
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FF9A5881B2D	0_2_00007FF9A5881B2D

Source: XClient.exe	ReversingLabs: Detection: 75%
Source: XClient.exe	Virustotal: Detection: 74%

Source: XClient.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\XClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XClient.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Mutant created: \Sessions\1\BaseNamedObjects\A5zb16WZlfeMzH1q

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: XClient.exe, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: XClient.exe, Stub/u0030ibt14tLvxNqcXE4Rf0eGzCUCJlLBoXPUk0.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/u0030ibt14tLvxNqcXE4Rf0eGzCUCJlLBoXPUk0.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\XClient.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: XClient.exe, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: XClient.exe, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\XClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: XClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", V_8, null, null, null, true)
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", V_8, null, null, null, true)

.NET source code contains potential unpacker

Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: nMNfgL0rwqXMNDiB4b1Q51efTU8eaqW7VOv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: FTd98HmvpjgaoiAYGpCJOmjPzRknFqUNKZ1 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: FTd98HmvpjgaoiAYGpCJOmjPzRknFqUNKZ1
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: nMNfgL0rwqXMNDiB4b1Q51efTU8eaqW7VOv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: FTd98HmvpjgaoiAYGpCJOmjPzRknFqUNKZ1 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	.Net Code: FTd98HmvpjgaoiAYGpCJOmjPzRknFqUNKZ1

Source: XClient.exe, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'xbYU61LaTe5gz6268VCTlrizEDql9NK37HA', 'nMNfgL0rwqXMNDiB4b1Q51efTU8eaqW7VOv', 'kXbf1qS3qgiiUoEB3qev4MH56Ndp4w7pow4', '31whRjAhj6VXkOsTY6dEyoCirbqWrMf7KCh', 'fcHQt1PeZDXhUUgVl1lT66wALEnTaI0DG0K', 'X6kRzVwBFt4waFH3VJj3fBLMGXbm2LqxjgP', 'CwpPXw6aYD3KnHM9P0JieoFP7QhXOL6tUhN', 'Y5fKn0nc8dAApCduMf0ejhmDLHfRdLCLRtf'
Source: XClient.exe, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	High entropy of concatenated method names: '.cctor', 'W9r8eom5kBYPKrq7WwDOgSvK6v5C6AKfy0E', 'fKHIjrQrG0tm8UUBSFAWf11h6w9eXAw9BAO', 'mV6NPuM1NrS2Of6eb1xma4vpkznGgnbqtDM', '11xVnl1EyaC1xliBscVfsLKWKYjFmcvCfsJ', 'TDBwpplbOtuK1EQqEB3z7L2TbJHO2pQdQVW', 'AjRcZbEWpFogZqOGYN0JjEqlOYMG9M5LI0q', 'gXOLaNQMiW1eEZWWr4gdY', 'czFXafqI7jvii0ieS9ZTc', 'bKbnuPN32qhiOONHjZeJN'
Source: XClient.exe, Stub/MOuDd6f6lqWe581qTPVbm1rE2QeKmeaum8Q.cs	High entropy of concatenated method names: '.ctor', 'QpGClFjjrcOUv8KtPsq9JEzyw7EoKQd2Mw1', 'Tj8LeV3I5tJM8IO2sBm7VAXcH5En0oay1gm', '4Un85SZsjBskOuCb95FpsSIPEyGGZngfInL', 'ICvfWTgvyh2ao4rS7TfH9Z5taklm3gYL9KO', 'fTN4cZoDe7GcmQS1FXDEHo7nkus2xdxiECU', 'HRXoDNa7C7tw8tNfLli2lCeJJiTeJdLMDiP', '80JBp9Ciwwz6ZugNwIhtMx6JGYxgw2vv8WX', 'JETJUVhSKY6hYWqLfkC8zvLuLDMMdRTLZNG', '8dPw226XcBUnFSE8CjVgnCwYAef7FeMTUpZ'
Source: XClient.exe, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'QSgkpYMLcCdVFiAWL0djmg8LFkHeRRYMOsE', 'qcPYfV0QW6pbNORpiIcgqwodMtSOkFYDpmF', 'OhtPsskt7pEqwCjFH9Oz0o2W9P4lpIc76y5', 'pOqCelcxmcQp1cDpOrFoPdsrXYYhQGfFmD9', 'uifaCfe4qtLXDeW4CXkn4EGboVa7XpW9MWV', 'ROnZ04TsRd72QJeh40Y5tnZDHylPVr3gR18', '1vwSqiOiRBjEcdj6He0AZWFix4N006felvL', 'iR1GrTaQvJJeVw5ZTwctsYuKdDIduWZoeuO'
Source: XClient.exe, Stub/tr7f9pgsmKzflIYAa2lBpTbBZYn7eezwP1K.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'JPLiztoMPwIaF5V5I9010R7BH363IWpetE5', 'iu2Br8tCs2SlA5I7UlvHgWm9dud6GcLRidv', 'iIBaPM8MA9UIW3P1Kbse6TREtgOxmVe5p6m', 'MNAKeXIzWtu8gSJ361ZAfkjUXpQC8gO8gL1', 'UPTxxvAn8SWjJ5L9cKjwPtoX77ArOmh0kRS', 'EHl4NN4PkdA3Noa4IxATjXKLJ6hjwsJ31eD', 'mVpvsE4kjDO6y8nAh05GslFogICHOkNJjzJ', 'y4payuZhPSkMFx3QCrlGOwy8SELLPxsPch5'
Source: XClient.exe, My/QxUlvO6rHc9wBgbMjMmZg2A6nTzVi4vyLhU.cs	High entropy of concatenated method names: '.cctor', 'OSpfYf5l4TYfGqccb3y7VuopCsQUJ0mSSWp', 'O2pYBz1zbTkeUGJPhmO0bmXuAcdhhCOF7QL', 'DHayv5KDvQa1D5P9qIowFAVPrUZORAfx7gX', 'uhRioRsMef2JQBx4Pa5posSa30VqePVAvu5', 'c6jYb8722ZjMvNH29KG75', 'BqvPA0fBI8MDjAR8sX62s', 'qYRRdAk4hZhDdzVPmilFV', 'wsQJiJUylOKu9ZoysTjQK', '02qQ5gVhBg4lThYeTETtX'
Source: XClient.exe, Stub/lXMGB3QhUs5UeQzbbzP6ZCZzIohVtIZioNw.cs	High entropy of concatenated method names: '.ctor', 'qkKYQ9l62aa8TXJonVigdGTvl71PJ97DHZ0', 'b9j799c79vSYm29ECYZRGCVoKrSM1wov5qg', 'w8m9XVHN0VGFGyTx6dQtA4349s1eO64omGX', 'WmOoJd4dLqZBxxLmJlLHSG1Q0tiNPmK2UIk', 'UcmDZBXEjIzZG4r8fYABW', 'bdaq9Je8N45jLZh2yhRV8', 'Org5AHdNrnbB8uUdd7nBg', 'NsOAEXLD4Y3oAwuWT2ipj', 'glct00C3MD70TShm4YaCC'
Source: XClient.exe, Stub/u0030ibt14tLvxNqcXE4Rf0eGzCUCJlLBoXPUk0.cs	High entropy of concatenated method names: '.ctor', '0WJ2lGMud4M1Fgd9Fp863AJNab0eD3U7c13', 'ThrOalaauHEvRqye0EcsADwZmgiZP0Ld0ks', 'GlO3vOAmtM5WTiJrS7kUu67HCTdVMr2fqLs', 'UsTXjuyib7zdYzvr6j2wx', 'R7owXHdlYqrerphyRf8te', 'a6e2bYBS8Q6tAqI62FrPC', 'emsui1LgCt7JyLzrW9gwv', 'ESaJRErHQy1v6MW0p0WS5', 'QPxLmtH027hCJvEBZDmcP'
Source: XClient.exe, Stub/u4L5p9xINqAuGP6i49BkT4TdKdxaZNEzSEn.cs	High entropy of concatenated method names: '.ctor', 'Ur7Zr0xNLqi9cgrEadwGlsCNCRQRiQhLakC', 'VKOgTBuLX2gjbm4cHfcTwi5niwzsvub6NST', 'khCFAGi4K4T4USZgeP441Zc2pWwtUyg3hvD', 'dBIeq0rhnmbRrbehSQGzP', 'eG7kFptuqeNSeosLRCkb3', 'jGnQAitz98G5wrrDCWeM8', 'v72lQLl1ZCvbqVqPrjG2J', 'IIMShXWPvtGE14r980vIL', '4oGa4jYLE5QQuITL1ZQPg'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/NIXf95cIBYqgFME2GO1bZlllR9tFwl3y7Oa.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'xbYU61LaTe5gz6268VCTlrizEDql9NK37HA', 'nMNfgL0rwqXMNDiB4b1Q51efTU8eaqW7VOv', 'kXbf1qS3qgiiUoEB3qev4MH56Ndp4w7pow4', '31whRjAhj6VXkOsTY6dEyoCirbqWrMf7KCh', 'fcHQt1PeZDXhUUgVl1lT66wALEnTaI0DG0K', 'X6kRzVwBFt4waFH3VJj3fBLMGXbm2LqxjgP', 'CwpPXw6aYD3KnHM9P0JieoFP7QhXOL6tUhN', 'Y5fKn0nc8dAApCduMf0ejhmDLHfRdLCLRtf'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/dS3nyInUjs5Mefmh5pPjW60W1Q6ra8DwnF2.cs	High entropy of concatenated method names: '.cctor', 'W9r8eom5kBYPKrq7WwDOgSvK6v5C6AKfy0E', 'fKHIjrQrG0tm8UUBSFAWf11h6w9eXAw9BAO', 'mV6NPuM1NrS2Of6eb1xma4vpkznGgnbqtDM', '11xVnl1EyaC1xliBscVfsLKWKYjFmcvCfsJ', 'TDBwpplbOtuK1EQqEB3z7L2TbJHO2pQdQVW', 'AjRcZbEWpFogZqOGYN0JjEqlOYMG9M5LI0q', 'gXOLaNQMiW1eEZWWr4gdY', 'czFXafqI7jvii0ieS9ZTc', 'bKbnuPN32qhiOONHjZeJN'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/MOuDd6f6lqWe581qTPVbm1rE2QeKmeaum8Q.cs	High entropy of concatenated method names: '.ctor', 'QpGClFjjrcOUv8KtPsq9JEzyw7EoKQd2Mw1', 'Tj8LeV3I5tJM8IO2sBm7VAXcH5En0oay1gm', '4Un85SZsjBskOuCb95FpsSIPEyGGZngfInL', 'ICvfWTgvyh2ao4rS7TfH9Z5taklm3gYL9KO', 'fTN4cZoDe7GcmQS1FXDEHo7nkus2xdxiECU', 'HRXoDNa7C7tw8tNfLli2lCeJJiTeJdLMDiP', '80JBp9Ciwwz6ZugNwIhtMx6JGYxgw2vv8WX', 'JETJUVhSKY6hYWqLfkC8zvLuLDMMdRTLZNG', '8dPw226XcBUnFSE8CjVgnCwYAef7FeMTUpZ'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/s0U1pZ3hU3f0Al0ZIek8eywCcryNFUX61nR.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'QSgkpYMLcCdVFiAWL0djmg8LFkHeRRYMOsE', 'qcPYfV0QW6pbNORpiIcgqwodMtSOkFYDpmF', 'OhtPsskt7pEqwCjFH9Oz0o2W9P4lpIc76y5', 'pOqCelcxmcQp1cDpOrFoPdsrXYYhQGfFmD9', 'uifaCfe4qtLXDeW4CXkn4EGboVa7XpW9MWV', 'ROnZ04TsRd72QJeh40Y5tnZDHylPVr3gR18', '1vwSqiOiRBjEcdj6He0AZWFix4N006felvL', 'iR1GrTaQvJJeVw5ZTwctsYuKdDIduWZoeuO'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/tr7f9pgsmKzflIYAa2lBpTbBZYn7eezwP1K.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'JPLiztoMPwIaF5V5I9010R7BH363IWpetE5', 'iu2Br8tCs2SlA5I7UlvHgWm9dud6GcLRidv', 'iIBaPM8MA9UIW3P1Kbse6TREtgOxmVe5p6m', 'MNAKeXIzWtu8gSJ361ZAfkjUXpQC8gO8gL1', 'UPTxxvAn8SWjJ5L9cKjwPtoX77ArOmh0kRS', 'EHl4NN4PkdA3Noa4IxATjXKLJ6hjwsJ31eD', 'mVpvsE4kjDO6y8nAh05GslFogICHOkNJjzJ', 'y4payuZhPSkMFx3QCrlGOwy8SELLPxsPch5'
Source: 0.0.XClient.exe.8b0000.0.unpack, My/QxUlvO6rHc9wBgbMjMmZg2A6nTzVi4vyLhU.cs	High entropy of concatenated method names: '.cctor', 'OSpfYf5l4TYfGqccb3y7VuopCsQUJ0mSSWp', 'O2pYBz1zbTkeUGJPhmO0bmXuAcdhhCOF7QL', 'DHayv5KDvQa1D5P9qIowFAVPrUZORAfx7gX', 'uhRioRsMef2JQBx4Pa5posSa30VqePVAvu5', 'c6jYb8722ZjMvNH29KG75', 'BqvPA0fBI8MDjAR8sX62s', 'qYRRdAk4hZhDdzVPmilFV', 'wsQJiJUylOKu9ZoysTjQK', '02qQ5gVhBg4lThYeTETtX'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/u4L5p9xINqAuGP6i49BkT4TdKdxaZNEzSEn.cs	High entropy of concatenated method names: '.ctor', 'Ur7Zr0xNLqi9cgrEadwGlsCNCRQRiQhLakC', 'VKOgTBuLX2gjbm4cHfcTwi5niwzsvub6NST', 'khCFAGi4K4T4USZgeP441Zc2pWwtUyg3hvD', 'dBIeq0rhnmbRrbehSQGzP', 'eG7kFptuqeNSeosLRCkb3', 'jGnQAitz98G5wrrDCWeM8', 'v72lQLl1ZCvbqVqPrjG2J', 'IIMShXWPvtGE14r980vIL', '4oGa4jYLE5QQuITL1ZQPg'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/u0030ibt14tLvxNqcXE4Rf0eGzCUCJlLBoXPUk0.cs	High entropy of concatenated method names: '.ctor', '0WJ2lGMud4M1Fgd9Fp863AJNab0eD3U7c13', 'ThrOalaauHEvRqye0EcsADwZmgiZP0Ld0ks', 'GlO3vOAmtM5WTiJrS7kUu67HCTdVMr2fqLs', 'UsTXjuyib7zdYzvr6j2wx', 'R7owXHdlYqrerphyRf8te', 'a6e2bYBS8Q6tAqI62FrPC', 'emsui1LgCt7JyLzrW9gwv', 'ESaJRErHQy1v6MW0p0WS5', 'QPxLmtH027hCJvEBZDmcP'
Source: 0.0.XClient.exe.8b0000.0.unpack, Stub/lXMGB3QhUs5UeQzbbzP6ZCZzIohVtIZioNw.cs	High entropy of concatenated method names: '.ctor', 'qkKYQ9l62aa8TXJonVigdGTvl71PJ97DHZ0', 'b9j799c79vSYm29ECYZRGCVoKrSM1wov5qg', 'w8m9XVHN0VGFGyTx6dQtA4349s1eO64omGX', 'WmOoJd4dLqZBxxLmJlLHSG1Q0tiNPmK2UIk', 'UcmDZBXEjIzZG4r8fYABW', 'bdaq9Je8N45jLZh2yhRV8', 'Org5AHdNrnbB8uUdd7nBg', 'NsOAEXLD4Y3oAwuWT2ipj', 'glct00C3MD70TShm4YaCC'

Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: XClient.exe, 00000000.00000002.654685537.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: XClient.exe	Binary or memory string: SBIEDLL.DLL+T0XIDNM41PJCRQ8SQZSPP+YHXHO6ABBR87ZPLIL9AZ0+QSQAS8KSQQXPT1ZJ6VXZM+MLFKF6J7NY7YJHDA96RS6+4F8KSQRFTQR7ZDSDOLAHZ+F6OYQSIATAOGV3HI2HMRN+M7DJHCYOQSBRPA49CAW60+SWE44PRJNZMLELUMLGL44+SXFE8WHJIRT6O9SAYDG8D+UNVAWUFXNBHNK3BJFLQNP+YDSXPEB6S15YQEKKFK3F6+JNEAW2EGLCDBTGIKL01LM+ACLFQ6RUC2SLYLOLUYNVC+KDBEITFRC0ESSC6H1XN05INFO

Source: C:\Users\user\Desktop\XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\XClient.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: XClient.exe	Binary or memory string: vmware
Source: XClient.exe, 00000000.00000002.654935664.000000001B920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\XClient.exe

Code function: 0_2_00007FF9A5885D6A CheckRemoteDebuggerPresent,

0_2_00007FF9A5885D6A

Source: C:\Users\user\Desktop\XClient.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Queries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7016, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7016, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	Path Interception	2 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
XClient.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRAT
XClient.exe	75%	Virustotal		Browse
XClient.exe	100%	Avira	LNK/Runner.VPGD
XClient.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ip-api.comx	0%	URL Reputation	safe
even-house.at.ply.gg	100%	Avira URL Cloud	malware
even-house.at.ply.gg	8%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
even-house.at.ply.gg	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.comx	XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	XClient.exe, 00000000.00000002.654685537.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.654685537.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	869012
Start date and time:	2023-05-18 16:35:20 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	XClient.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 6 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.222
Excluded domains from analysis (whitelisted): fp.msedge.net, a-0019.a-msedge.net, ocsp.digicert.com, a-0019.standard.a-msedge.net, ctldl.windowsupdate.com, 1.perf.msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	runrunlastrun.vbs	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	jod.js	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	ip-api.com/json/
	shipment_docs.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	Tax_Returns_of_R58,765.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	proof_of_payment.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	Request_For_Quotation.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	sss.png.ps1	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	stub.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	8888.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Clientrat.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	CrackedLoader.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Explorer.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	HelloKittyCafe.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SrfFpGhGIc.exe	Get hash	malicious	VjW0rm, WSHRAT	Browse	ip-api.com/json/
	LOIC.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	PeterBot.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	runrunlastrun.vbs	Get hash	malicious	Quasar	Browse	208.95.112.1
	jod.js	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	208.95.112.1
	shipment_docs.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	Tax_Returns_of_R58,765.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	proof_of_payment.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Request_For_Quotation.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	mal.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	meeting.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	p68hEdbp8M.exe	Get hash	malicious	Gurcu Stealer, RedLine, Vidar	Browse	208.95.112.1
	Invoice ID#8998744.html	Get hash	malicious	HTMLPhisher	Browse	51.77.64.70
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	sss.png.ps1	Get hash	malicious	Quasar	Browse	208.95.112.1
	6wXMsDIz1A.exe	Get hash	malicious	Gurcu Stealer, RedLine	Browse	208.95.112.1
	stub.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	8888.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Clientrat.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	CrackedLoader.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Explorer.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	runrunlastrun.vbs	Get hash	malicious	Quasar	Browse	208.95.112.1
	jod.js	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	208.95.112.1
	shipment_docs.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	Tax_Returns_of_R58,765.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	proof_of_payment.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Request_For_Quotation.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	mal.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	meeting.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	p68hEdbp8M.exe	Get hash	malicious	Gurcu Stealer, RedLine, Vidar	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	sss.png.ps1	Get hash	malicious	Quasar	Browse	208.95.112.1
	6wXMsDIz1A.exe	Get hash	malicious	Gurcu Stealer, RedLine	Browse	208.95.112.1
	socialscrapper.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	stub.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	8888.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Clientrat.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	CrackedLoader.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Explorer.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.951936788865578
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	XClient.exe
File size:	64512
MD5:	25a16f364fa103d6d2ab254065bfe2d2
SHA1:	1759fb535c7514d063d12e3687856507d7ec9bc7
SHA256:	2698fb5c3c46ef781958f43e418e2a193b97b3d09900678650ba2190c1cea15e
SHA512:	13929145f9773b6bf44f19041eb3e05501d4f63a08c9aa4bdfac964599b8125be9aae4be2f9512de4580256325e28b46062e5668401ec10fbc97c5d96e07b57a
SSDEEP:	768:yw2dR2qCflaItGpeZgncUAHKr/TN31M2IybbEUgdLGk6u41O6ihciYcqTWUZ:G2ZLGbxasb7gwk6bO6i6iVqCE
TLSH:	CC537D5C37E54920E1FF1FB428B53217D735E757A803EA1F2889059A1A27A9CCE017E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._cd................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4110ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64635F10 [Tue May 16 10:46:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11058	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf0b4	0xf200	False	0.5801426911157025	data	6.03848119601686	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x4ce	0x600	False	0.3743489583333333	data	3.7196984311115475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x120a0	0x244	data
RT_MANIFEST	0x122e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 6
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 18, 2023 16:36:23.427736044 CEST	49705	80	192.168.2.5	208.95.112.1
May 18, 2023 16:36:23.457145929 CEST	80	49705	208.95.112.1	192.168.2.5
May 18, 2023 16:36:23.457341909 CEST	49705	80	192.168.2.5	208.95.112.1
May 18, 2023 16:36:23.461499929 CEST	49705	80	192.168.2.5	208.95.112.1
May 18, 2023 16:36:23.498827934 CEST	80	49705	208.95.112.1	192.168.2.5
May 18, 2023 16:36:23.550524950 CEST	49705	80	192.168.2.5	208.95.112.1
May 18, 2023 16:37:12.670042038 CEST	80	49705	208.95.112.1	192.168.2.5
May 18, 2023 16:37:12.670164108 CEST	49705	80	192.168.2.5	208.95.112.1
May 18, 2023 16:37:29.592516899 CEST	80	49705	208.95.112.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 18, 2023 16:36:23.388999939 CEST	61893	53	192.168.2.5	8.8.8.8
May 18, 2023 16:36:23.416227102 CEST	53	61893	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 18, 2023 16:36:23.388999939 CEST	192.168.2.5	8.8.8.8	0x40a5	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 18, 2023 16:36:23.416227102 CEST	8.8.8.8	192.168.2.5	0x40a5	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
May 18, 2023 16:36:37.890830994 CEST	8.8.8.8	192.168.2.5	0x923a	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49705	208.95.112.1	80	C:\Users\user\Desktop\XClient.exe

Timestamp	kBytes transferred	Direction	Data
May 18, 2023 16:36:23.461499929 CEST	0	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 18, 2023 16:36:23.498827934 CEST	0	IN	HTTP/1.1 200 OK Date: Thu, 18 May 2023 14:36:22 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Statistics

CPU Usage

• XClient.exe

Click to jump to process

Memory Usage

• XClient.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: XClient.exePID: 7016, Parent PID: 3324

Function Logs

General

Target ID:	0
Start time:	16:36:17
Start date:	18/05/2023
Path:	C:\Users\user\Desktop\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\XClient.exe
Imagebase:	0x8b0000
File size:	64512 bytes
MD5 hash:	25A16F364FA103D6D2AB254065BFE2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.386459266.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Hard Error Raised

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: XClient.exePID: 7016, Parent PID: 3324COMMON

Executed Functions

Function 00007FF9A5885706 Relevance: 1.7, Strings: 1, Instructions: 467COMMON

Download Yara Rule

Strings

8e7, xrefs: 00007FF9A5885909

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID:
String ID: 8e7
API String ID: 0-3004964361
Opcode ID: 15f7b047bbf02ee7290dc586c110a6d95b77dba3daad209c3c10eca77945176b
Instruction ID: 77b6cc88664c3e4785b538868b0a23c3b3cd22a20dab06b2339c698280c98a42
Opcode Fuzzy Hash: 15f7b047bbf02ee7290dc586c110a6d95b77dba3daad209c3c10eca77945176b
Instruction Fuzzy Hash: 7CF1B630A08A4D8FEBA8DF28D8567E977D1FF65310F04426EE84DC7291DF74A9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A58868C2 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

8e7, xrefs: 00007FF9A5886BFB

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID:
String ID: 8e7
API String ID: 0-3004964361
Opcode ID: 330e29b101b7efa7a2f57319115c981d41d8045d7a724f1dcded60abe5f9c77d
Instruction ID: 421ab0244fa888b5f3a0874e823f402dc861d75097c03d5a936f8b72afbc8b9f
Opcode Fuzzy Hash: 330e29b101b7efa7a2f57319115c981d41d8045d7a724f1dcded60abe5f9c77d
Instruction Fuzzy Hash: FAE1C330A09A4E8FEBA8DF28D8557E977D1FF65710F14826ED84DC7291DF74A8408B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5885D6A Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF9A5887580

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 58581b123dbbe8c2a063eb6c662df2982441b00d1da74c60002490bdd2baf84d
Instruction ID: 741dc8c80716005b88ba1f73848e46ed2f77c1467fb210a438cc5c0737b9602b
Opcode Fuzzy Hash: 58581b123dbbe8c2a063eb6c662df2982441b00d1da74c60002490bdd2baf84d
Instruction Fuzzy Hash: 3531D23190861C8FCB58DF5CD8897ED7BE0FF69711F14426ED88AD7281DB70A8468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A58810A9 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844d596102d2795afa26235d3635af6879b9498fe8a96c2ae69864389b1a3460
Instruction ID: a3aa74f33c931b9d872da57bcaebb9a1929d5fb263a3f6036f301e2f3a013b9a
Opcode Fuzzy Hash: 844d596102d2795afa26235d3635af6879b9498fe8a96c2ae69864389b1a3460
Instruction Fuzzy Hash: 14428460B18A094FE798EB7CA4953B977D2FF9A740F4445B9E44EC32D6DE68BC024381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5881B2D Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f059ae707af8525380e2bc58f5d408e5046b788f35561b14c58d8aa4c65afb
Instruction ID: b37e9f6139a6b40d43b350a966fcd14a60704e58db7df95a840fabba29931eae
Opcode Fuzzy Hash: f5f059ae707af8525380e2bc58f5d408e5046b788f35561b14c58d8aa4c65afb
Instruction Fuzzy Hash: EC61016465E6C54FD746E77C58646B6BFE5DF87225B1800FBE0CDC61A3ED481806C382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A58874CD Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF9A5887580

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 84800cf6d5126da03a5828cc197403f319658e9cad008f50eedc3d7e5ebb61f7
Instruction ID: fb3fd805ff1e54f3a9827061c76df95341c0778794268f7edbe9c591be8541ef
Opcode Fuzzy Hash: 84800cf6d5126da03a5828cc197403f319658e9cad008f50eedc3d7e5ebb61f7
Instruction Fuzzy Hash: DE3121309087588FCB19DF68C8457E97BF0FF66311F0542ABD489D7192DB34A846CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9A5880CAA Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

5`_^, xrefs: 00007FF9A5880CB1

Memory Dump Source

Source File: 00000000.00000002.655199024.00007FF9A5880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5880000, based on PE: false

Similarity

API ID:
String ID: 5`_^
API String ID: 0-529932743
Opcode ID: f2dea267dd3b8f97094c10583a0c6ca03056eac79f8cd000a005364ae59bd281
Instruction ID: 1783a652457fbcdb6b9d3be2b55114bfcd708ca179b2218d91012a5bcfbfdb6f
Opcode Fuzzy Hash: f2dea267dd3b8f97094c10583a0c6ca03056eac79f8cd000a005364ae59bd281
Instruction Fuzzy Hash: 87715267E0E2928FE752DB3C68951E57F60EF53664B0940F7C4D8DB0A3E948380E83A5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XClient.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
XClient.exe