Edit tour

Windows Analysis Report
test2.exe

Overview

General Information

Sample name:	test2.exe
Analysis ID:	1558605
MD5:	396ef18c45676b0074e41dc2212e06d3
SHA1:	fe07d7d57a66b71611086771260163432a9e7b55
SHA256:	1209c3df30d7d53edad5c43e122e5c14e350e9d229cdf1e263fd16ef22f485f0
Tags:	exeopendiruser-Joker
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

test2.exe (PID: 4468 cmdline: "C:\Users\user\Desktop\test2.exe" MD5: 396EF18C45676B0074E41DC2212E06D3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["158.247.200.45"], "Port": 7033, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
test2.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
test2.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68f2:$cnc4: POST / HTTP/1.1
Process Memory Space: test2.exe PID: 4468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.test2.exe.db0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.test2.exe.db0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test2.exe

Avira: detected

Found malware configuration

Source: test2.exe

Malware Configuration Extractor: Xworm {"C2 url": ["158.247.200.45"], "Port": 7033, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: test2.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: test2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: test2.exe	String decryptor: 158.247.200.45
Source: test2.exe	String decryptor: 7033
Source: test2.exe	String decryptor: <123456789>
Source: test2.exe	String decryptor: <Xwormmm>
Source: test2.exe	String decryptor: XWorm V5.6
Source: test2.exe	String decryptor: USB.exe

Source: test2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: test2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 158.247.200.45

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 158.247.200.45:7033

Source: Joe Sandbox View

ASN Name: FEWPBUS FEWPBUS

Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45
Source: unknown	TCP traffic detected without corresponding DNS query: 158.247.200.45

System Summary

Malicious sample detected (through community Yara rule)

Source: test2.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.test2.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: test2.exe, 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs test2.exe
Source: test2.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs test2.exe

Source: test2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: test2.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.test2.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: test2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: test2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: test2.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\test2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\test2.exe	Mutant created: \Sessions\1\BaseNamedObjects\1kxWUkLkK2xrr7Fy

Source: test2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: test2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\test2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: test2.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\test2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Section loaded: mswsock.dll	Jump to behavior

Source: test2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: test2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: test2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: test2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: test2.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: test2.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: test2.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\test2.exe	Memory allocated: 1520000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\test2.exe	Memory allocated: 1B150000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\test2.exe

Window / User API: threadDelayed 9740

Jump to behavior

Source: C:\Users\user\Desktop\test2.exe TID: 352	Thread sleep count: 247 > 30	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe TID: 352	Thread sleep time: -247000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe TID: 352	Thread sleep count: 9740 > 30	Jump to behavior
Source: C:\Users\user\Desktop\test2.exe TID: 352	Thread sleep time: -9740000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\test2.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: test2.exe, 00000000.00000002.3963607804.00000000013D7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\test2.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\test2.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\test2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\test2.exe

Queries volume information: C:\Users\user\Desktop\test2.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\test2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.test2.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test2.exe PID: 4468, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.test2.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test2.exe PID: 4468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	121 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
test2.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
test2.exe	100%	Avira	HEUR/AGEN.1311730
test2.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
158.247.200.45	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
158.247.200.45	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.247.200.45	unknown	United States		26133	FEWPBUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558605
Start date and time:	2024-11-19 16:14:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 20 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com
Execution Graph export aborted for target test2.exe, PID 4468 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: test2.exe

Simulations

Behavior and APIs

Time	Type	Description
10:15:23	API Interceptor	14590361x Sleep call for process: test2.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FEWPBUS	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	158.247.196.119
	nullnet_load.arm.elf	Get hash	malicious	Mirai	Browse	204.118.65.199
	porM7ZoSGI.exe	Get hash	malicious	Merlin	Browse	158.247.248.136
	LlCTrWUOQE.exe	Get hash	malicious	Unknown	Browse	158.247.248.136
	2CJeeUSPYN.exe	Get hash	malicious	Unknown	Browse	158.247.248.136
	1.jpg.exe	Get hash	malicious	Unknown	Browse	158.247.219.207
	SecuriteInfo.com.Win64.MalwareX-gen.20346.14970.exe	Get hash	malicious	Sliver	Browse	158.247.208.174
	SecuriteInfo.com.Win64.MalwareX-gen.20346.14970.exe	Get hash	malicious	Sliver	Browse	158.247.208.174
	jhpg1LVUrZ.elf	Get hash	malicious	Mirai	Browse	158.247.155.125
	f8txrlLgsG.elf	Get hash	malicious	Mirai	Browse	63.131.206.237

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.712252087672667
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	test2.exe
File size:	303'616 bytes
MD5:	396ef18c45676b0074e41dc2212e06d3
SHA1:	fe07d7d57a66b71611086771260163432a9e7b55
SHA256:	1209c3df30d7d53edad5c43e122e5c14e350e9d229cdf1e263fd16ef22f485f0
SHA512:	3c46d42d0f054ebda330cda1a37aeaf833c697c78f476fa1db80f888608582e7fddeed8daab0e0f373ad6446131e2323f335d787b5a7b58032adcd3333bebb29
SSDEEP:	3072:TvNYzFFE9jZOjmAZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ+ZZZZZZZZZZZZZP:z8E9Z+GIIIIIIIhIIIIIIIIIIIIIIIU
TLSH:	B75410606A050EBCEFE0BA74EBDD536513A52E92013B58CF13D03F8A3537D53BA9A056
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g.................x...(......n.... ........@.. ....................................@................................

File Icon


Icon Hash:	0f63e5d3f35c6917

Static PE Info

General

Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673BC3DA [Mon Nov 18 22:46:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x971c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4259c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	0808c5d51173cb697b1831e1855d5f1e	False	0.5011393229166666	data	5.741152482882237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4259c	0x42600	4dc0f0c6225dabff9aaa3667d86e7da7	False	0.07438059086629002	data	5.551053673748052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc	0x200	3ee5eb55d2c84cad34ece42377c6f250	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.07212548451045951
RT_GROUP_ICON	0x4c158	0x14	data	0.9
RT_VERSION	0x4c16c	0x244	data	0.4724137931034483
RT_MANIFEST	0x4c3b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 16:15:24.544512987 CET	49704	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:25.551495075 CET	49704	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:27.551508904 CET	49704	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:31.551619053 CET	49704	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:39.551548958 CET	49704	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:45.713706017 CET	49706	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:46.723618984 CET	49706	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:48.739198923 CET	49706	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:15:52.754733086 CET	49706	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:00.754920006 CET	49706	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:06.865104914 CET	49708	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:07.865319014 CET	49708	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:09.864243984 CET	49708	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:13.879822016 CET	49708	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:21.879849911 CET	49708	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:27.990360022 CET	49710	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:29.004869938 CET	49710	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:31.004939079 CET	49710	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:35.004913092 CET	49710	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:43.005057096 CET	49710	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:53.428678989 CET	49718	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:54.442470074 CET	49718	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:16:56.461579084 CET	49718	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:00.458966970 CET	49718	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:08.458177090 CET	49718	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:14.569569111 CET	49725	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:15.641350985 CET	49725	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:17.731550932 CET	49725	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:21.770719051 CET	49725	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:29.816572905 CET	49725	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:36.021706104 CET	49727	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:37.052254915 CET	49727	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:39.067750931 CET	49727	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:43.069685936 CET	49727	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:51.067729950 CET	49727	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:57.194665909 CET	49730	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:17:58.192737103 CET	49730	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:00.192739964 CET	49730	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:04.192760944 CET	49730	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:12.208415031 CET	49730	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:18.320703983 CET	49732	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:19.333487988 CET	49732	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:21.333489895 CET	49732	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:25.333858967 CET	49732	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:33.333753109 CET	49732	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:43.366883993 CET	49734	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:44.380441904 CET	49734	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:46.380413055 CET	49734	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:50.384089947 CET	49734	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:18:58.396315098 CET	49734	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:09.182004929 CET	49736	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:10.192990065 CET	49736	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:12.208622932 CET	49736	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:16.208647013 CET	49736	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:24.224291086 CET	49736	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:39.335445881 CET	49739	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:40.349622011 CET	49739	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:42.349441051 CET	49739	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:46.349402905 CET	49739	7033	192.168.2.8	158.247.200.45
Nov 19, 2024 16:19:54.352212906 CET	49739	7033	192.168.2.8	158.247.200.45

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: test2.exePID: 4468, Parent PID: 4084

General

Target ID:	0
Start time:	10:15:19
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\test2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\test2.exe"
Imagebase:	0xdb0000
File size:	303'616 bytes
MD5 hash:	396EF18C45676B0074E41DC2212E06D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1497145384.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: test2.exePID: 4468, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4AEB2258 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a505b77ea48a2b4d347cf55c3b1a8161987dbd8a88b0429606e208f72af5c4
Instruction ID: aeccbaa07f040bc0cb2d419a83b4a8bb60df9e48bd6b8c3170738de95ec2ba26
Opcode Fuzzy Hash: e7a505b77ea48a2b4d347cf55c3b1a8161987dbd8a88b0429606e208f72af5c4
Instruction Fuzzy Hash: 5271E2B190D6898FD749FFB8C8196A47BE4FF56310F2841FAD059CB1D3DA286806C751

Function 00007FFB4AEB21F5 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760f0f51bb4501b43c63db0f5321b8a08df2ad446e0d30bad848f69db5b820de
Instruction ID: 3b012ee6c114739a4f1610d6e6916f545ac7aa47c9d329deecdb2b2264f4827c
Opcode Fuzzy Hash: 760f0f51bb4501b43c63db0f5321b8a08df2ad446e0d30bad848f69db5b820de
Instruction Fuzzy Hash: 3951B29184E6C64EE757FFB889691A07FA4AF53215F2840FBD098CF1D3D91C6846C362

Function 00007FFB4AEB1CB3 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f8f7659a8dd4707c1fcd22f6c4fc189ab7de31c10580acb3f2fb30544cb383
Instruction ID: bb18ba240bf2274e281ad3bc934ef1252a6661464bab95c0a0b77ad617a55acc
Opcode Fuzzy Hash: 02f8f7659a8dd4707c1fcd22f6c4fc189ab7de31c10580acb3f2fb30544cb383
Instruction Fuzzy Hash: 79B14BA1A1DA494FE399FF3884192B97BD2FF99350F6400FAD45EC72D7DD2868028781

Function 00007FFB4AEB0718 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94c6745e5adef83abcfc57e0d87c338d33c7e7d849c274410e06f2250ccab0c
Instruction ID: 71c63f1db437587bbc52ab1d17d1d8044dc2ecd4341edbfd8a4bf24bc8ec3c56
Opcode Fuzzy Hash: e94c6745e5adef83abcfc57e0d87c338d33c7e7d849c274410e06f2250ccab0c
Instruction Fuzzy Hash: 31A124A1B1DD094BE799FF3CC4192B976E6FF88350F6401B9E45ED32C6DD28A8028781

Function 00007FFB4AEB0925 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e013ac0f72c12db5ff380fba7425fa7ed0a1e19d1ab6df56de30a06b1284a3
Instruction ID: ed62a8f6d164174cf6abea0678559fcf5f85be99b9f87dedcb8f8a1d3d6709e7
Opcode Fuzzy Hash: 66e013ac0f72c12db5ff380fba7425fa7ed0a1e19d1ab6df56de30a06b1284a3
Instruction Fuzzy Hash: C15104A1A5DA4E4FE799FB38C45D1E97B96FF89250B9004FAE41EC31C7CD28B8018751

Function 00007FFB4AEB0F7E Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ac8db8ed861c42c1d55e92a7ab3b53694fa8f4346330c3fd0aa21434bfdd2b
Instruction ID: a837875e861050a13c48ed40f875239732a43d0ad055fcde8ae3d1242ea76813
Opcode Fuzzy Hash: f7ac8db8ed861c42c1d55e92a7ab3b53694fa8f4346330c3fd0aa21434bfdd2b
Instruction Fuzzy Hash: FD513861A5EA860FE396FB38D85A6753BD5EF86210B1800FAD88DC71D3DC1DAC428352

Function 00007FFB4AEB1738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122fc5e2270c539382dda819e2e282d129b1fe1c1e88d1ab7d6638aaac2f4448
Instruction ID: fa5ebf62d74bc5793b41c0d03ad4c63ba620fe31f3f9b224ef498d3790428388
Opcode Fuzzy Hash: 122fc5e2270c539382dda819e2e282d129b1fe1c1e88d1ab7d6638aaac2f4448
Instruction Fuzzy Hash: 3D51F47094E6864FE746FB7488166A5BFA1FF17320F2802F9D0A9C71D7CA2DA842C751

Function 00007FFB4AEB148D Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dcb97c00125d062769bb293a1451d6e666ca58b46eb93980cbc37f89d8d7ea
Instruction ID: 5035e83ce889690d7bc04f4c6e00bdf0e3999a7eafeccae21dd627de0ed63026
Opcode Fuzzy Hash: 01dcb97c00125d062769bb293a1451d6e666ca58b46eb93980cbc37f89d8d7ea
Instruction Fuzzy Hash: BA519E74A0DA5C8FDB58FF68C459BA97BE5FB55311F1001AEE00AC3691CB36E801CB51

Function 00007FFB4AEB0B5E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577f9fd39131a8f58f9925c536e351940e5644aeeec97e7e7f4b5e8017127796
Instruction ID: f97cc679eb75483391b71b6c42ee963a5b93eec4bbd554851165b5f55fbfd866
Opcode Fuzzy Hash: 577f9fd39131a8f58f9925c536e351940e5644aeeec97e7e7f4b5e8017127796
Instruction Fuzzy Hash: B341D36170DA890FE786EB7C985A2787BD1EF9A215B0801FEE44DC72E3DD189C068351

Function 00007FFB4AEB0E11 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b96e13876e093b090322f335d84e3d345f9d4a5d3508ab8cb3fa72cdbe063e
Instruction ID: c3991cc596525b710b2ed2d04c3dd39d7dac0ad4bcfdc921d5ee2a9e889c85f7
Opcode Fuzzy Hash: e9b96e13876e093b090322f335d84e3d345f9d4a5d3508ab8cb3fa72cdbe063e
Instruction Fuzzy Hash: B041C761B19A094FFB45FBBCD84D6BDB7D5FB98351F1042BAE40DC3192DD28A8418391

Function 00007FFB4AEB0780 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a995f79c0117e1dea097a18edbd1a24fefc018ebf2958052f0a58065989740
Instruction ID: 95379c3c086020f14d3cbfa67b0475609e15ae43685d1b0e606bc89a0ab655ef
Opcode Fuzzy Hash: 91a995f79c0117e1dea097a18edbd1a24fefc018ebf2958052f0a58065989740
Instruction Fuzzy Hash: CA419C74A09A1DCFDB98FF68C499BA977E5FB15315F20016EE00AC3691CB36E8418B40

Function 00007FFB4AEB04C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fa9a3f12b692a17bd57c3c922e675667e3ce6f7ee3e3931b65919191faddb0
Instruction ID: 679e6a02e56b0185968626fb9f433646b4e7a46b129c35f513062a52e2319f38
Opcode Fuzzy Hash: b2fa9a3f12b692a17bd57c3c922e675667e3ce6f7ee3e3931b65919191faddb0
Instruction Fuzzy Hash: A231E561B1D9494FE789FB7C985E378B6C1EB99215F1401BEE40EC32D3DD28AC018345

Function 00007FFB4AEB0710 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f12b182946c6f5de8c0156ad3e49f952ffe7d98732a9e22e7c104ba66f25f3
Instruction ID: beb3f387ea3a7f5d1e5f0017edd914a81aaedef97e44e4e6b35d1c55a70590ff
Opcode Fuzzy Hash: 15f12b182946c6f5de8c0156ad3e49f952ffe7d98732a9e22e7c104ba66f25f3
Instruction Fuzzy Hash: 68418071A1990A8FEB89FF78C0596B9B7E5FF54310F2401BDD02ED32C6CE29A8418741

Function 00007FFB4AEB0CC1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6f489bf6a0ab22598689ed70948174bbf40a4d10da2134c8fd46b47268f466
Instruction ID: 16c1d33ac0a2f5a05341bc0439162e9657a86636039fd4dbed045649f8d3e37d
Opcode Fuzzy Hash: 0c6f489bf6a0ab22598689ed70948174bbf40a4d10da2134c8fd46b47268f466
Instruction Fuzzy Hash: 0A4192B0A19A4E8FEB45FBB8C4596E9BBF1FF89300F6445B9D049D32C6CD28B8018751

Function 00007FFB4AEB13D5 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a4e2590f7cfbb16cf8c56aee6a74c5650d9ed7d4e702d307bba5104a6688d3
Instruction ID: 8b6604e753d9e175318f610f40d17a0d9e56c02f2cdc251d8c6a0dd7696e4a8c
Opcode Fuzzy Hash: d8a4e2590f7cfbb16cf8c56aee6a74c5650d9ed7d4e702d307bba5104a6688d3
Instruction Fuzzy Hash: 7321F7A0E4E6524BF756FF78C55A2B826A6BF85320F7400F9E41DC71C7DD2DB8024291

Function 00007FFB4AEB12C1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84418b300071630c65ddc2fb1717c56ec1296c800f56ae24717a7d7727aa8ef9
Instruction ID: ed738bfe98138b903bc430a536d3552e47406af7d42e0c104c408a9360485412
Opcode Fuzzy Hash: 84418b300071630c65ddc2fb1717c56ec1296c800f56ae24717a7d7727aa8ef9
Instruction Fuzzy Hash: FA01C8B19086CD8FD74DEF38886D1A93FF1FB96104B5400EFD05AE65D2DA3514418751

Function 00007FFB4AEB135D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4cbcae328b4775563665f058e272335a7cc0f59b01c707014dc6c0d9bdd83a
Instruction ID: fed09da2ef9e8b6d3de54e5270e230642aaa10a0eca0fc27117c6aff5f533278
Opcode Fuzzy Hash: 0b4cbcae328b4775563665f058e272335a7cc0f59b01c707014dc6c0d9bdd83a
Instruction Fuzzy Hash: F60142A0E0E6820BF75AFE78842E2B82695BF41300F3400FDD40D825D3ED1CA8008341

Function 00007FFB4AEB143B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e253caa243400334c822a90040d872a7734beb0668235892fc67a312e2b665c4
Instruction ID: d67e9b133f0691d4c4e04a8544934139e06965b6bf65cc55ff83eb6906fc952a
Opcode Fuzzy Hash: e253caa243400334c822a90040d872a7734beb0668235892fc67a312e2b665c4
Instruction Fuzzy Hash: 83F0AFB0D4E4128AF256FF38C2596B876AABB95320F7001B4D42DC21CADE39B4518291

Function 00007FFB4AEB1284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029e7508dc173888e4dfc9f8aa9f5a3cbdf132be9c1e0ec28ed217a49cc5e552
Instruction ID: f83baecdf4d3b70e2e43dd2dcc0fadef8a555b8837a4954aa179fe7e093f9072
Opcode Fuzzy Hash: 029e7508dc173888e4dfc9f8aa9f5a3cbdf132be9c1e0ec28ed217a49cc5e552
Instruction Fuzzy Hash: B9D0C240C8E2C20AE70B7A780E465D07F649B031A0B6902D2D454C74D7D88D249A4372

Function 00007FFB4AEB1141 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3966148576.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aeb0000_test2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601ada45d6178046a3fa4ab6708d94b39b13961137dfee1a60bdd767dd58d12b
Instruction ID: 690e259453e7dd180369fedfa12ac2b022917d73eddecc1a3c9e189fe41adcbe
Opcode Fuzzy Hash: 601ada45d6178046a3fa4ab6708d94b39b13961137dfee1a60bdd767dd58d12b
Instruction Fuzzy Hash: F0E0C27286838C4FE742BE7058121DA7B28FF51200F5105CBF418C7092E620A6188382

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
test2.exe