Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560855
MD5:feeffe6b4ec91b7313a0f0c3a2bc9850
SHA1:420d2d6af474adfa2914c976dfa2b98f298276a0
SHA256:4acc559876c3fad0f837761f3eaad7fcaa080e06f0d9d50f185e0d8e575fc238
Tags:exeuser-Bitsight
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6152 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FEEFFE6B4EC91B7313A0F0C3A2BC9850)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.113.179"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_XWormYara detected XWormJoe Security
    file.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x847e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x851b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8630:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8010:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x827e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x831b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8430:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7e10:$cnc4: POST / HTTP/1.1
      00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: file.exe PID: 6152JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.file.exe.b20000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.file.exe.b20000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x847e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x851b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x8630:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8010:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-22T12:33:15.674703+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:27.645972+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:29.115942+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:39.651988+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:51.623575+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:59.115030+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:03.598581+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:12.501762+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:12.680835+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:12.834018+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:22.739502+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:22.950862+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:29.131947+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:29.943680+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:33.300453+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:33.510741+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:45.333915+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:47.749384+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:48.742121+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:48.896890+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:49.265779+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:58.092567+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:59.142680+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:59.352735+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:59.563160+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:11.131644+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:14.834281+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:26.815004+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:29.136466+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:37.806556+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:39.269786+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:42.458577+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:46.678354+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:56.920364+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:59.142873+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:02.521763+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:07.128053+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:12.972271+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:14.472365+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:16.930666+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.183752+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.346071+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.393972+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.471979+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.724574+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:17.856214+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:22.835403+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:22.990227+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:23.088701+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:24.058913+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:29.123431+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:33.120973+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:36.461577+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:37.776909+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:47.342373+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:58.800491+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:59.010892+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:59.134371+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:37:04.583462+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:37:06.438446+010028528701Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-22T12:33:15.962727+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:33:27.647632+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:33:39.653644+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:33:51.625515+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:03.600788+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:12.503827+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:12.682700+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:12.835535+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:22.743840+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:22.952510+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:29.947527+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:33.302531+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:33.513443+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:45.341409+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:47.756680+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:48.808587+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:48.933015+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:49.299827+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:58.094570+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:59.361099+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:34:59.571690+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:11.133921+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:14.838218+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:26.818408+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:37.808756+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:39.276841+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:42.461339+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:46.680338+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:35:56.922209+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:02.547597+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:07.129886+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:12.974090+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:14.474747+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.005716+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.398474+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.433566+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.525919+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.769733+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:17.890311+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:23.019721+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:23.112644+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:24.063178+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:33.123159+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:36.464576+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:37.779737+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:47.347511+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:58.802343+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:36:59.012621+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:37:04.587492+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            2024-11-22T12:37:06.443626+010028529231Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-22T12:33:29.115942+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:33:59.115030+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:29.131947+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:34:59.142680+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:29.136466+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:35:59.142873+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:29.123431+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            2024-11-22T12:36:59.134371+010028528741Malware Command and Control Activity Detected87.120.113.1797000192.168.2.549704TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-22T12:36:14.057662+010028531931Malware Command and Control Activity Detected192.168.2.54970487.120.113.1797000TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Found malware configuration
            Source: file.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.113.179"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: file.exeReversingLabs: Detection: 76%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: file.exeString decryptor: 87.120.113.179
            Source: file.exeString decryptor: 7000
            Source: file.exeString decryptor: <123456789>
            Source: file.exeString decryptor: <Xwormmm>
            Source: file.exeString decryptor: XWorm V5.6
            Source: file.exeString decryptor: USB.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.113.179:7000 -> 192.168.2.5:49704
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 87.120.113.179:7000
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.113.179:7000 -> 192.168.2.5:49704
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 87.120.113.179:7000
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.113.179
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 87.120.113.179:7000
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.179
            Source: file.exe, 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: file.exe, XLogger.cs.Net Code: KeyboardLayout
            Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: file.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E58A020_2_00007FF848E58A02
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E5B7590_2_00007FF848E5B759
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E57C560_2_00007FF848E57C56
            Source: file.exe, 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
            Source: file.exeBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: file.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: file.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: file.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\file.exeMutant created: NULL
            Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\cga3LG3MEu39iwYg
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: file.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: file.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: file.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: file.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: file.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E53EAF pushad ; iretd 0_2_00007FF848E53EBD
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1AFE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1355Jump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 8494Jump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 6648Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, 00000000.00000002.4524539432.000000001C080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: file.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: file.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.file.exe.b20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6152, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		221
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Clipboard Data            		1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            file.exe100%AviraTR/Spy.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.113.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            87.120.113.179true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.113.179
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1560855
              Start date and time:2024-11-22 12:32:06 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 14s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 4
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • VT rate limit hit for: file.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              06:33:01API Interceptor14376521x Sleep call for process: file.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              UNACS-AS-BG8000BurgasBGfile.exeGet hashmaliciousXWormBrowse
              • 87.120.112.33
              Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
              • 87.120.115.30
              G0822412237079O_Details_recal_pdf.jsGet hashmaliciousWSHRATBrowse
              • 87.120.115.30
              Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
              • 87.120.115.30
              NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
              • 87.120.115.30
              https://www.plushtoysmfg.com/plush-keychain-factory/Get hashmaliciousAnonymous ProxyBrowse
              • 87.120.125.158
              FACTURA9876567800.docx.docGet hashmaliciousLokibotBrowse
              • 87.120.113.235
              GT98765678000800.pif.exeGet hashmaliciousLokibotBrowse
              • 87.120.113.235
              POIUYTR0987000.bat.exeGet hashmaliciousLokibotBrowse
              • 87.120.113.235
              LGFH9876567800T..bat.exeGet hashmaliciousLokibotBrowse
              • 87.120.113.235

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.594430231709924
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:file.exe
              File size:39'936 bytes
              MD5:feeffe6b4ec91b7313a0f0c3a2bc9850
              SHA1:420d2d6af474adfa2914c976dfa2b98f298276a0
              SHA256:4acc559876c3fad0f837761f3eaad7fcaa080e06f0d9d50f185e0d8e575fc238
              SHA512:44b66e4e2f345cbdbc963e57d334c45cef86c3875f35462e6eaa58612c5d3cc1e2879b3ce28e77bf91b3e287f30659f47d87e0418d7320cb6f2e7b6a7a2ec22c
              SSDEEP:384:IOJUBMcFRlOttRngu7/GQftLDC08+1uC2DGyg4/ZaVQkpkFMA0iLTuOZwp0U2v9S:dKM46+Qfx+t+VQGygBeF79WuO+htF76
              TLSH:1E036D04BBD04626DEED6FF065B376060730E617DA13EB5E0CE499AA1F676C4CE007A6
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)I@g................................. ........@.. ....................................@................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x40b09e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x67404929 [Fri Nov 22 09:04:41 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xb0500x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x90a40x9200279ca65b5e321313bcc99d30a9028c89False0.497511772260274data5.718886558342842IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xe0000xc0x2009d09f41aa32f590eec26ba98d8189c55False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0xc0a00x244data0.4724137931034483
              RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-11-22T12:33:15.250704+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:33:15.674703+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:15.962727+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:33:27.645972+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:27.647632+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:33:29.115942+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:29.115942+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:39.651988+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:39.653644+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:33:51.623575+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:51.625515+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:33:59.115030+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:33:59.115030+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:03.598581+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:03.600788+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:12.501762+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:12.503827+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:12.680835+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:12.682700+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:12.834018+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:12.835535+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:22.739502+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:22.743840+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:22.950862+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:22.952510+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:29.131947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:29.131947+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:29.943680+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:29.947527+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:33.300453+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:33.302531+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:33.510741+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:33.513443+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:45.333915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:45.341409+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:47.749384+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:47.756680+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:48.742121+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:48.808587+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:48.896890+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:48.933015+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:49.265779+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:49.299827+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:58.092567+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:58.094570+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:59.142680+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:59.142680+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:59.352735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:59.361099+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:34:59.563160+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:34:59.571690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:11.131644+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:11.133921+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:14.834281+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:14.838218+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:26.815004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:26.818408+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:29.136466+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:29.136466+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:37.806556+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:37.808756+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:39.269786+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:39.276841+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:42.458577+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:42.461339+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:46.678354+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:46.680338+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:56.920364+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:56.922209+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:35:59.142873+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:35:59.142873+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:02.521763+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:02.547597+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:07.128053+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:07.129886+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:12.972271+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:12.974090+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:14.057662+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:14.472365+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:14.474747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:16.930666+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.005716+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:17.183752+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.346071+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.393972+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.398474+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:17.433566+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:17.471979+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.525919+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:17.724574+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.769733+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:17.856214+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:17.890311+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:22.835403+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:22.990227+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:23.019721+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:23.088701+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:23.112644+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:24.058913+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:24.063178+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:29.123431+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:29.123431+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:33.120973+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:33.123159+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:36.461577+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:36.464576+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:37.776909+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:37.779737+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:47.342373+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:47.347511+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:58.800491+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:58.802343+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:59.010892+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:59.012621+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:36:59.134371+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:36:59.134371+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:37:04.583462+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:37:04.587492+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP
              2024-11-22T12:37:06.438446+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.113.1797000192.168.2.549704TCP
              2024-11-22T12:37:06.443626+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54970487.120.113.1797000TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 22, 2024 12:33:02.992336988 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:03.117815018 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:03.117908955 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:03.272006035 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:03.393074989 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:15.250704050 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:15.370450020 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:15.674702883 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:15.729531050 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:15.962727070 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:16.082664013 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:27.229793072 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:27.350090981 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:27.645972013 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:27.647631884 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:27.767188072 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:29.115942001 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:29.166896105 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:39.214325905 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:39.334003925 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:39.651988029 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:39.653644085 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:39.795711040 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:51.198477030 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:51.318198919 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:51.623574972 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:51.625514984 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:33:51.746336937 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:59.115030050 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:33:59.166925907 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:03.183235884 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:03.303046942 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:03.598581076 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:03.600788116 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:03.720510960 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.058073997 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.178009033 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.229758978 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.350509882 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.350603104 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.470135927 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.501761913 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.503827095 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.666243076 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.680835009 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.682699919 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.802515984 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.834017992 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:12.835535049 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:12.998291969 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.323894978 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:22.444529057 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.444601059 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:22.564971924 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.739501953 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.743839979 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:22.863580942 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.950861931 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:22.952510118 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:23.075932980 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:29.131947041 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:29.260766029 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:29.526577950 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:29.646626949 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:29.943680048 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:29.947526932 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:30.069713116 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:32.886286974 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:33.005985975 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:33.006037951 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:33.126070976 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:33.300452948 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:33.302531004 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:33.422194004 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:33.510740995 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:33.513442993 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:33.633125067 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:44.901576042 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:45.021228075 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:45.333914995 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:45.341408968 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:45.461241961 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:47.325678110 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:47.445509911 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:47.749383926 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:47.756680012 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:47.876281023 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.323617935 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:48.443382978 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.443453074 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:48.564460039 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.564536095 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:48.684740067 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.684850931 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:48.742120981 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.808515072 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.808587074 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:48.896889925 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.932960987 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:48.933015108 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:49.017694950 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.054949045 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.055013895 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:49.104998112 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.174624920 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.179678917 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:49.265779018 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.299747944 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:49.299827099 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:49.419821024 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:57.667279005 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:57.786977053 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:58.092566967 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:58.094569921 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:58.214148045 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:58.698544025 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:58.818569899 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:58.818648100 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:58.938216925 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:59.142679930 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:59.263684988 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:59.352735043 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:59.361099005 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:59.480807066 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:59.563159943 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:34:59.571690083 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:34:59.691344976 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:10.714251041 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:10.833951950 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:11.131644011 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:11.133920908 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:11.256102085 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:14.417463064 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:14.537041903 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:14.834280968 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:14.838217974 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:14.960227966 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:26.401580095 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:26.521194935 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:26.815004110 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:26.818408012 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:26.939564943 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:29.136466026 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:29.260889053 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:37.385934114 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:37.505574942 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:37.806555986 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:37.808756113 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:37.929543972 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:38.854779005 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:38.974473000 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:39.269785881 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:39.276840925 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:39.398228884 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:42.042227983 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:42.162014961 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:42.458576918 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:42.461338997 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:42.581012964 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:46.261019945 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:46.380882025 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:46.678354025 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:46.680337906 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:46.799860001 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:56.495279074 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:56.614955902 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:56.920363903 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:56.922209024 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:35:57.042963028 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:59.142873049 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:35:59.198091030 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:02.105557919 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:02.225253105 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:02.521763086 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:02.547596931 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:02.667983055 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:06.713969946 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:06.833457947 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:07.128052950 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:07.129885912 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:07.249425888 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:12.557802916 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:12.677750111 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:12.972270966 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:12.974090099 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:13.093736887 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:14.057662010 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:14.177434921 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:14.472364902 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:14.474746943 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:14.596121073 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:16.510912895 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:16.631334066 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:16.760948896 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:16.884500980 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:16.884567976 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:16.930665970 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:16.930752039 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.005644083 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.005716085 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.050956011 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.051029921 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.125282049 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.125343084 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.173283100 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.183752060 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.229298115 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.298212051 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.306289911 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.346071005 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.393971920 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.398473978 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.425923109 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.433566093 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.471978903 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.518096924 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.525918961 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.553263903 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.604196072 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.645729065 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.645875931 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.724574089 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.766638994 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.769732952 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:17.856214046 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.889369965 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:17.890311003 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:18.009962082 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.417130947 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.540326118 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.540390015 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.659950018 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.660057068 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.779881001 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.779934883 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.835402966 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.885539055 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.899545908 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.899616003 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:22.990226984 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:22.990310907 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.019648075 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.019721031 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.088701010 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.112449884 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.112643957 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.140471935 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.200591087 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.232234955 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.232311964 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.322935104 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.351905107 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.352021933 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.442662001 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.442840099 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.471844912 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.472987890 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.562320948 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.563664913 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.592777967 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.592864990 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:23.683837891 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:23.712706089 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:24.058912992 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:24.063178062 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:24.184242964 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:29.123430967 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:29.166768074 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:32.698342085 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:32.817945957 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:33.120973110 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:33.123158932 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:33.242928028 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:36.042059898 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:36.163717985 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:36.461576939 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:36.464576006 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:36.587996960 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:37.341582060 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:37.461184978 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:37.776909113 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:37.779736996 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:37.899437904 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:46.901628971 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:47.021306992 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:47.342372894 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:47.347511053 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:47.467145920 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:58.385704041 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:58.505414963 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:58.526309013 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:58.645885944 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:58.800491095 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:58.802342892 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:58.923651934 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:59.010891914 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:59.012620926 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:36:59.134371042 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:59.135068893 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:36:59.182307959 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:37:04.151257038 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:37:04.273220062 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:37:04.583462000 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:37:04.587491989 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:37:04.707489014 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:37:06.021931887 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:37:06.141961098 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:37:06.438446045 CET70004970487.120.113.179192.168.2.5
              Nov 22, 2024 12:37:06.443625927 CET497047000192.168.2.587.120.113.179
              Nov 22, 2024 12:37:06.563788891 CET70004970487.120.113.179192.168.2.5

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:06:32:58
              Start date:22/11/2024
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\file.exe"
              Imagebase:0xb20000
              File size:39'936 bytes
              MD5 hash:FEEFFE6B4EC91B7313A0F0C3A2BC9850
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2060067922.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:16.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:3
                Total number of Limit Nodes:0
                execution_graph 4591 7ff848e51dc8 4593 7ff848e51dd1 SetWindowsHookExW 4591->4593 4594 7ff848e51ea1 4593->4594

                Executed Functions

                Function 00007FF848E5B759 Relevance: 2.2, Strings: 1, Instructions: 980COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 57 7ff848e5b759-7ff848e5b793 59 7ff848e5b7dd-7ff848e5b7e5 57->59 60 7ff848e5b795-7ff848e5b7a0 call 7ff848e505e0 57->60 62 7ff848e5b85b 59->62 63 7ff848e5b7e7-7ff848e5b804 59->63 64 7ff848e5b7a5-7ff848e5b7dc 60->64 66 7ff848e5b860-7ff848e5b875 62->66 63->66 67 7ff848e5b806-7ff848e5b856 call 7ff848e5a4a0 63->67 64->59 72 7ff848e5b88e-7ff848e5b8a3 66->72 73 7ff848e5b877-7ff848e5b889 call 7ff848e505f0 66->73 91 7ff848e5c4a6-7ff848e5c4b4 67->91 79 7ff848e5b8a5-7ff848e5b8d1 72->79 80 7ff848e5b8d6-7ff848e5b8eb 72->80 73->91 79->91 86 7ff848e5b8ed-7ff848e5b8f9 call 7ff848e59af8 80->86 87 7ff848e5b8fe-7ff848e5b913 80->87 86->91 95 7ff848e5b959-7ff848e5b96e 87->95 96 7ff848e5b915-7ff848e5b918 87->96 101 7ff848e5b9af-7ff848e5b9c4 95->101 102 7ff848e5b970-7ff848e5b973 95->102 96->62 98 7ff848e5b91e-7ff848e5b929 96->98 98->62 100 7ff848e5b92f-7ff848e5b954 call 7ff848e505c8 call 7ff848e59af8 98->100 100->91 108 7ff848e5b9c6-7ff848e5b9c9 101->108 109 7ff848e5b9f1-7ff848e5ba06 101->109 102->62 103 7ff848e5b979-7ff848e5b984 102->103 103->62 106 7ff848e5b98a-7ff848e5b9aa call 7ff848e505c8 call 7ff848e527b0 103->106 106->91 108->62 112 7ff848e5b9cf-7ff848e5b9ec call 7ff848e505c8 call 7ff848e527b8 108->112 119 7ff848e5ba0c-7ff848e5ba6c call 7ff848e50550 109->119 120 7ff848e5baf2-7ff848e5bb07 109->120 112->91 119->62 159 7ff848e5ba72-7ff848e5baa1 119->159 127 7ff848e5bb09-7ff848e5bb0c 120->127 128 7ff848e5bb26-7ff848e5bb3b 120->128 127->62 131 7ff848e5bb12-7ff848e5bb21 call 7ff848e52790 127->131 137 7ff848e5bb5d-7ff848e5bb72 128->137 138 7ff848e5bb3d-7ff848e5bb40 128->138 131->91 143 7ff848e5bb74-7ff848e5bb8d 137->143 144 7ff848e5bb92-7ff848e5bba7 137->144 138->62 140 7ff848e5bb46-7ff848e5bb58 call 7ff848e52790 138->140 140->91 143->91 150 7ff848e5bba9-7ff848e5bbc2 144->150 151 7ff848e5bbc7-7ff848e5bbdc 144->151 150->91 157 7ff848e5bbfc-7ff848e5bc11 151->157 158 7ff848e5bbde-7ff848e5bbf7 151->158 162 7ff848e5bc3a-7ff848e5bc4f 157->162 163 7ff848e5bc13-7ff848e5bc16 157->163 158->91 170 7ff848e5bcef-7ff848e5bd04 162->170 171 7ff848e5bc55-7ff848e5bccd 162->171 163->62 165 7ff848e5bc1c-7ff848e5bc35 163->165 165->91 174 7ff848e5bd1c-7ff848e5bd31 170->174 175 7ff848e5bd06-7ff848e5bd17 170->175 171->62 194 7ff848e5bcd3-7ff848e5bcea 171->194 181 7ff848e5bd37-7ff848e5bdaf 174->181 182 7ff848e5bdd1-7ff848e5bde6 174->182 175->91 181->62 211 7ff848e5bdb5-7ff848e5bdcc 181->211 187 7ff848e5bdfe-7ff848e5be13 182->187 188 7ff848e5bde8-7ff848e5bdf9 182->188 196 7ff848e5be45-7ff848e5be5a 187->196 197 7ff848e5be15-7ff848e5be40 call 7ff848e50fc0 call 7ff848e5a4a0 187->197 188->91 194->91 203 7ff848e5bf37-7ff848e5bf4c 196->203 204 7ff848e5be60-7ff848e5bf32 call 7ff848e50fc0 call 7ff848e5a4a0 196->204 197->91 213 7ff848e5c013-7ff848e5c028 203->213 214 7ff848e5bf52-7ff848e5bf55 203->214 204->91 211->91 223 7ff848e5c03c-7ff848e5c051 213->223 224 7ff848e5c02a-7ff848e5c037 call 7ff848e5a4a0 213->224 215 7ff848e5c008-7ff848e5c00d 214->215 216 7ff848e5bf5b-7ff848e5bf66 214->216 225 7ff848e5c00e 215->225 216->215 220 7ff848e5bf6c-7ff848e5c006 call 7ff848e50fc0 call 7ff848e5a4a0 216->220 220->225 232 7ff848e5c0c8-7ff848e5c0dd 223->232 233 7ff848e5c053-7ff848e5c064 223->233 224->91 225->91 240 7ff848e5c11d-7ff848e5c132 232->240 241 7ff848e5c0df-7ff848e5c0e2 232->241 233->62 243 7ff848e5c06a-7ff848e5c07a call 7ff848e505c0 233->243 255 7ff848e5c178-7ff848e5c18d 240->255 256 7ff848e5c134-7ff848e5c173 call 7ff848e5a160 call 7ff848e537d0 call 7ff848e52770 240->256 241->62 245 7ff848e5c0e8-7ff848e5c118 call 7ff848e505b8 call 7ff848e505c8 call 7ff848e52768 241->245 250 7ff848e5c07c-7ff848e5c0a1 call 7ff848e5a4a0 243->250 251 7ff848e5c0a6-7ff848e5c0c3 call 7ff848e505c0 call 7ff848e505c8 call 7ff848e52768 243->251 245->91 250->91 251->91 271 7ff848e5c22d-7ff848e5c242 255->271 272 7ff848e5c193-7ff848e5c228 call 7ff848e50fc0 call 7ff848e5a4a0 255->272 256->91 271->91 284 7ff848e5c248-7ff848e5c24f 271->284 272->91 290 7ff848e5c251-7ff848e5c25b call 7ff848e59b28 284->290 291 7ff848e5c262-7ff848e5c29e 284->291 290->291
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4525150272.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848e50000_file.jbxd
                Similarity
                • API ID:
                • String ID: hO_H
                • API String ID: 0-3778298420
                • Opcode ID: 0545dc4986929a2bc183d35d0d2ceaedfe5f7b420e11abff214004c418b18318
                • Instruction ID: 03620f8657dfd0fb9d7972c48396bfd11808b17cb05f1d049ef11d2e61bd49ce
                • Opcode Fuzzy Hash: 0545dc4986929a2bc183d35d0d2ceaedfe5f7b420e11abff214004c418b18318
                • Instruction Fuzzy Hash: 97628C70E1D91A9FEB94FBB88495AB9B2D2FF98380F555578D01DC3286DF38E8028744
                Function 00007FF848E57C56 Relevance: .5, Instructions: 474COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 459 7ff848e57c56-7ff848e57c63 460 7ff848e57c6e-7ff848e57d37 459->460 461 7ff848e57c65-7ff848e57c6d 459->461 465 7ff848e57d39-7ff848e57d42 460->465 466 7ff848e57da3 460->466 461->460 465->466 467 7ff848e57d44-7ff848e57d50 465->467 468 7ff848e57da5-7ff848e57dca 466->468 469 7ff848e57d89-7ff848e57da1 467->469 470 7ff848e57d52-7ff848e57d64 467->470 475 7ff848e57dcc-7ff848e57dd5 468->475 476 7ff848e57e36 468->476 469->468 471 7ff848e57d68-7ff848e57d7b 470->471 472 7ff848e57d66 470->472 471->471 474 7ff848e57d7d-7ff848e57d85 471->474 472->471 474->469 475->476 478 7ff848e57dd7-7ff848e57de3 475->478 477 7ff848e57e38-7ff848e57ee0 476->477 489 7ff848e57f4e 477->489 490 7ff848e57ee2-7ff848e57eec 477->490 479 7ff848e57e1c-7ff848e57e34 478->479 480 7ff848e57de5-7ff848e57df7 478->480 479->477 482 7ff848e57df9 480->482 483 7ff848e57dfb-7ff848e57e0e 480->483 482->483 483->483 484 7ff848e57e10-7ff848e57e18 483->484 484->479 491 7ff848e57f50-7ff848e57f79 489->491 490->489 492 7ff848e57eee-7ff848e57efb 490->492 499 7ff848e57f7b-7ff848e57f86 491->499 500 7ff848e57fe3 491->500 493 7ff848e57efd-7ff848e57f0f 492->493 494 7ff848e57f34-7ff848e57f4c 492->494 496 7ff848e57f11 493->496 497 7ff848e57f13-7ff848e57f26 493->497 494->491 496->497 497->497 498 7ff848e57f28-7ff848e57f30 497->498 498->494 499->500 501 7ff848e57f88-7ff848e57f96 499->501 502 7ff848e57fe5-7ff848e58076 500->502 503 7ff848e57fcf-7ff848e57fe1 501->503 504 7ff848e57f98-7ff848e57faa 501->504 510 7ff848e5807c-7ff848e5808b 502->510 503->502 506 7ff848e57fac 504->506 507 7ff848e57fae-7ff848e57fc1 504->507 506->507 507->507 508 7ff848e57fc3-7ff848e57fcb 507->508 508->503 511 7ff848e5808d 510->511 512 7ff848e58093-7ff848e580f8 call 7ff848e58114 510->512 511->512 519 7ff848e580ff-7ff848e58113 512->519 520 7ff848e580fa 512->520 520->519
                Memory Dump Source
                • Source File: 00000000.00000002.4525150272.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848e50000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb6ba675034a95cbe99aa57a8f9335c7804e376269cb873def79cdf2fcbb74d6
                • Instruction ID: ebb49cc79118d056f24a1130e8d6bf9ae5023442217973dbda80ead2c04f88c9
                • Opcode Fuzzy Hash: bb6ba675034a95cbe99aa57a8f9335c7804e376269cb873def79cdf2fcbb74d6
                • Instruction Fuzzy Hash: A2F1A07090CA8D8FEBA8EF28CC557E977D1FF55350F04426AE84DC7295CB34A9418B86
                Function 00007FF848E58A02 Relevance: .5, Instructions: 460COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 521 7ff848e58a02-7ff848e58a0f 522 7ff848e58a1a-7ff848e58ae7 521->522 523 7ff848e58a11-7ff848e58a19 521->523 527 7ff848e58ae9-7ff848e58af2 522->527 528 7ff848e58b53 522->528 523->522 527->528 530 7ff848e58af4-7ff848e58b00 527->530 529 7ff848e58b55-7ff848e58b7a 528->529 536 7ff848e58b7c-7ff848e58b85 529->536 537 7ff848e58be6 529->537 531 7ff848e58b39-7ff848e58b51 530->531 532 7ff848e58b02-7ff848e58b14 530->532 531->529 534 7ff848e58b18-7ff848e58b2b 532->534 535 7ff848e58b16 532->535 534->534 538 7ff848e58b2d-7ff848e58b35 534->538 535->534 536->537 539 7ff848e58b87-7ff848e58b93 536->539 540 7ff848e58be8-7ff848e58c0d 537->540 538->531 541 7ff848e58bcc-7ff848e58be4 539->541 542 7ff848e58b95-7ff848e58ba7 539->542 547 7ff848e58c0f-7ff848e58c19 540->547 548 7ff848e58c7b 540->548 541->540 543 7ff848e58ba9 542->543 544 7ff848e58bab-7ff848e58bbe 542->544 543->544 544->544 546 7ff848e58bc0-7ff848e58bc8 544->546 546->541 547->548 550 7ff848e58c1b-7ff848e58c28 547->550 549 7ff848e58c7d-7ff848e58cab 548->549 557 7ff848e58cad-7ff848e58cb8 549->557 558 7ff848e58d1b 549->558 551 7ff848e58c2a-7ff848e58c3c 550->551 552 7ff848e58c61-7ff848e58c79 550->552 553 7ff848e58c3e 551->553 554 7ff848e58c40-7ff848e58c53 551->554 552->549 553->554 554->554 556 7ff848e58c55-7ff848e58c5d 554->556 556->552 557->558 560 7ff848e58cba-7ff848e58cc8 557->560 559 7ff848e58d1d-7ff848e58df5 558->559 570 7ff848e58dfb-7ff848e58e0a 559->570 561 7ff848e58cca-7ff848e58cdc 560->561 562 7ff848e58d01-7ff848e58d19 560->562 564 7ff848e58cde 561->564 565 7ff848e58ce0-7ff848e58cf3 561->565 562->559 564->565 565->565 567 7ff848e58cf5-7ff848e58cfd 565->567 567->562 571 7ff848e58e0c 570->571 572 7ff848e58e12-7ff848e58e74 call 7ff848e58e90 570->572 571->572 579 7ff848e58e7b-7ff848e58e8f 572->579 580 7ff848e58e76 572->580 580->579
                Memory Dump Source
                • Source File: 00000000.00000002.4525150272.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848e50000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b3a54a3de6680ee3495fd7ff8c674ade63014f7b345923fb12a57c5099996c4
                • Instruction ID: c1600231f7819a6f8f984b43ae202c7076c5beb9e11c1d87f04d33edf7628e8c
                • Opcode Fuzzy Hash: 9b3a54a3de6680ee3495fd7ff8c674ade63014f7b345923fb12a57c5099996c4
                • Instruction Fuzzy Hash: 85E1C17090CA8E8FEBA8EF28C8567E977E1FB54350F04466ED84DC7295DB3498418B82
                Function 00007FF848E51DC8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 319 7ff848e51dc8-7ff848e51dcf 320 7ff848e51dda-7ff848e51e4d 319->320 321 7ff848e51dd1-7ff848e51dd9 319->321 325 7ff848e51ed9-7ff848e51edd 320->325 326 7ff848e51e53-7ff848e51e58 320->326 321->320 327 7ff848e51e62-7ff848e51e9f SetWindowsHookExW 325->327 328 7ff848e51e5f-7ff848e51e60 326->328 329 7ff848e51ea7-7ff848e51ed8 327->329 330 7ff848e51ea1 327->330 328->327 330->329
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4525150272.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848e50000_file.jbxd
                Similarity
                • API ID: HookWindows
                • String ID:
                • API String ID: 2559412058-0
                • Opcode ID: 5b43a9370b96d2928c6f94a2c48ca64bc3f7899a18d447d9d2695afd91e46d4d
                • Instruction ID: 755bc57f6a6c5d11e588d80cd1fb648e2f5937b50da13eec786f548ecd6ad8e7
                • Opcode Fuzzy Hash: 5b43a9370b96d2928c6f94a2c48ca64bc3f7899a18d447d9d2695afd91e46d4d
                • Instruction Fuzzy Hash: A541F63190CA4D4FDB58EB6C98466F9BBE1FB59311F04027EE049C3292DF75A85287C1