Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560855
MD5:	feeffe6b4ec91b7313a0f0c3a2bc9850
SHA1:	420d2d6af474adfa2914c976dfa2b98f298276a0
SHA256:	4acc559876c3fad0f837761f3eaad7fcaa080e06f0d9d50f185e0d8e575fc238
Tags:	exeuser-Bitsight
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe

Malware Configuration Extractor: Xworm {"C2 url": ["87.120.113.179"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: file.exe	String decryptor: 87.120.113.179
Source: file.exe	String decryptor: 7000
Source: file.exe	String decryptor: <123456789>
Source: file.exe	String decryptor: <Xwormmm>
Source: file.exe	String decryptor: XWorm V5.6
Source: file.exe	String decryptor: USB.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.113.179:7000 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 87.120.113.179:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.113.179:7000 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.113.179

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 87.120.113.179:7000

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179

Source: file.exe, 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: file.exe, XLogger.cs

.Net Code: KeyboardLayout

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\file.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E58A02	0_2_00007FF848E58A02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E5B759	0_2_00007FF848E5B759
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E57C56	0_2_00007FF848E57C56

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: file.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\cga3LG3MEu39iwYg

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: file.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF848E53EAF pushad ; iretd

0_2_00007FF848E53EBD

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1150000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1355			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8494			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6648

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 42% for more than 60s

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.113.179	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
87.120.113.179	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe

Malware Configuration Extractor: Xworm {"C2 url": ["87.120.113.179"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: file.exe	String decryptor: 87.120.113.179
Source: file.exe	String decryptor: 7000
Source: file.exe	String decryptor: <123456789>
Source: file.exe	String decryptor: <Xwormmm>
Source: file.exe	String decryptor: XWorm V5.6
Source: file.exe	String decryptor: USB.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.113.179:7000 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 87.120.113.179:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.113.179:7000 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.113.179

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 87.120.113.179:7000

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.179

Source: file.exe, 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: file.exe, XLogger.cs

.Net Code: KeyboardLayout

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\file.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E58A02	0_2_00007FF848E58A02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E5B759	0_2_00007FF848E5B759
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E57C56	0_2_00007FF848E57C56

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: file.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\cga3LG3MEu39iwYg

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: file.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF848E53EAF pushad ; iretd

0_2_00007FF848E53EBD

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1150000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1355			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8494			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6648

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 42% for more than 60s

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

ID:	1560855
Product:	CloudBasic
Start time:	12:32:06
Start date:	22.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	feeffe6b4ec91b7313a0f0c3a2bc9850
SHA1:	420d2d6af474adfa2914c976dfa2b98f298276a0
SHA256:	4acc559876c3fad0f837761f3eaad7fcaa080e06f0d9d50f185e0d8e575fc238
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by