Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe

Overview

General Information

Sample name:1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
Analysis ID:1391068
MD5:1068f15bcb0132a138ad6496f58ad7d4
SHA1:0035aa784e6f052a384ea044662b5256765aa0fa
SHA256:333f2437106696b8daea10f30724be9b226fb4db1e9f967757fb14f7c8f41511
Tags:base64-decodedexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • cleanup
{"C2 url": ["xwv5group7001.duckdns.org"], "Port": "7001", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
SourceRuleDescriptionAuthorStrings
1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6d70:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6ec4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6f61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7076:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x6b70:$cnc4: POST / HTTP/1.1
      00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe PID: 7516JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6d70:$cnc4: POST / HTTP/1.1
            No Sigma rule has matched
            Timestamp:163.172.59.233192.168.2.47001497292852870 02/12/24-20:15:13.583849
            SID:2852870
            Source Port:7001
            Destination Port:49729
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4163.172.59.2334972970012855924 02/12/24-20:15:11.927004
            SID:2855924
            Source Port:49729
            Destination Port:7001
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:163.172.59.233192.168.2.47001497292852874 02/12/24-20:15:13.583849
            SID:2852874
            Source Port:7001
            Destination Port:49729
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeAvira: detected
            Source: 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["xwv5group7001.duckdns.org"], "Port": "7001", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeReversingLabs: Detection: 76%
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeJoe Sandbox ML: detected
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49729 -> 163.172.59.233:7001
            Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 163.172.59.233:7001 -> 192.168.2.4:49729
            Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 163.172.59.233:7001 -> 192.168.2.4:49729
            Source: Malware configuration extractorURLs: xwv5group7001.duckdns.org
            Source: unknownDNS query: name: xwv5group7001.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.4:49729 -> 163.172.59.233:7001
            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: xwv5group7001.duckdns.org
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000002.4109891436.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeCode function: 0_2_00007FFD9B8A63160_2_00007FFD9B8A6316
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeCode function: 0_2_00007FFD9B8A9A8D0_2_00007FFD9B8A9A8D
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeCode function: 0_2_00007FFD9B8A70C20_2_00007FFD9B8A70C2
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe, 00000000.00000000.1660588345.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewXClient.exe7001.exe4 vs 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
            Source: 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeBinary or memory string: OriginalFilenameNewXClient.exe7001.exe4 vs 1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exe
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to b