Edit tour

Windows Analysis Report
1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Overview

General Information

Sample name:	1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe
Analysis ID:	1547388
MD5:	fccff79af62a4c34fdf4afb410fbaf86
SHA1:	7fc71ef7fb4aa436b93ec4b6a825fee64501460f
SHA256:	a16dfd5a9f62ca6480568f9e3e6a9a0b070cb5a82029dbad87a8df4823f8c371
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe" MD5: FCCFF79AF62A4C34FDF4AFB410FBAF86)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/juxAi7cy"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a42:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b57:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7653:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x77a5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7842:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7957:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7453:$cnc4: POST / HTTP/1.1
00000000.00000002.4280447826.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a42:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b57:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7653:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T09:46:54.450305+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49734	TCP
2024-11-02T09:47:33.992843+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49801	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T09:46:45.468600+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:46:51.281857+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:02.638712+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:14.003593+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:15.483464+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:25.369955+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:36.785553+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:45.500398+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:47.666695+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:48.323022+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:48.489777+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:54.089537+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:05.567856+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:14.388900+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:15.493014+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:16.252399+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:16.432523+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:16.549728+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:21.934566+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:21.977994+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:22.010530+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:22.040185+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:22.102892+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:22.176588+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:24.042641+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:31.152658+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:42.514271+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:43.260658+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:45.503527+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:45.718880+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:47.919811+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.310449+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.415365+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.446689+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.462493+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.477100+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:53.607633+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:02.314755+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:05.854635+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.198985+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.229562+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.243614+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.260537+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.276243+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.290882+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.322051+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.365079+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:09.430185+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:15.515990+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:15.726865+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.605415+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.634300+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.650048+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.681243+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.696860+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:20.772755+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:27.948557+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:32.640255+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:38.363906+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:43.342252+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:45.528451+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:53.498091+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:53.534715+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:53.664794+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:04.886950+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:05.572810+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:11.888327+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:13.963650+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:15.535232+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:19.216722+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:20.370572+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.698788+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.760679+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.837743+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.875874+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.900348+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.962888+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:25.995026+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:26.032092+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:26.058848+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:26.137541+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:27.684890+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:34.784158+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:36.324614+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:36.491264+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:38.933369+0100	2852870	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T09:46:51.283433+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:02.641724+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:14.005339+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:25.425375+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:36.788004+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:47.670016+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:48.325347+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:48.494002+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:47:54.092083+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:05.578766+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:14.391412+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:16.254907+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:16.435674+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:16.551773+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:21.936632+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:21.981742+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:22.012148+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:22.041887+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:22.105117+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:22.178334+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:24.044561+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:31.157300+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:42.519734+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:43.270955+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:47.922380+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.312711+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.417255+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.448328+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.464068+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.478698+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:48:53.609478+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:02.328385+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:05.860386+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.202409+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.231362+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.245207+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.262224+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.277872+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.292599+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.323844+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.367467+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.402373+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.430241+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:09.482984+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.609215+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.636597+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.653513+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.683222+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.698291+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:20.775989+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:27.960537+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:32.642168+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:38.374038+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:43.348440+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:53.500994+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:53.540576+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:49:53.666492+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:04.889010+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:05.574740+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:11.890660+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:13.971102+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:19.218627+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:20.372212+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.762049+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.839652+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.877934+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.901711+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.967125+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:25.997186+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:26.033402+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:26.062402+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:26.139294+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:27.692145+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:34.790455+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:36.328572+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:36.494527+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP
2024-11-02T09:50:38.934274+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T09:46:45.468600+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:15.483464+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:47:45.500398+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:15.493014+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:45.503527+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:48:45.718880+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:15.515990+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:15.726865+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:49:45.528451+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP
2024-11-02T09:50:15.535232+0100	2852874	1	Malware Command and Control Activity Detected	45.15.158.112	6767	192.168.2.4	49733	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T09:48:42.964466+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.15.158.112	6767	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/juxAi7cy"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	String decryptor: https://pastebin.com/raw/juxAi7cy
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	String decryptor: <123456789>
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	String decryptor: RAGNOROK54
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	String decryptor: USB.exe

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.15.158.112:6767 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.15.158.112:6767 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49733 -> 45.15.158.112:6767
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49733 -> 45.15.158.112:6767
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49733 -> 45.15.158.112:6767

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/juxAi7cy

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.15.158.112:6767

Source: global traffic

HTTP traffic detected: GET /raw/juxAi7cy HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.20.3.235 104.20.3.235

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49801

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.158.112

Source: global traffic

HTTP traffic detected: GET /raw/juxAi7cy HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, 00000000.00000002.4280447826.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, 00000000.00000002.4280447826.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/juxAi7cy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Code function: 0_2_00007FFD9B558432	0_2_00007FFD9B558432
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Code function: 0_2_00007FFD9B557686	0_2_00007FFD9B557686
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Code function: 0_2_00007FFD9B555E5D	0_2_00007FFD9B555E5D

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, 00000000.00000000.1835847139.000000000099C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestevenrag.exe4 vs 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Binary or memory string: OriginalFilenamestevenrag.exe4 vs 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Settings.cs

Base64 encoded string: '/qdUqPdORjnt8HpCFOzHxMSZ7Zy1f+mX0VWMer+SWEMyRkbGVDf7RK8t3+F0rh7d'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\aq3Fac3Pq9GHgZuk

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, Messages.cs	.Net Code: Memory

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Memory allocated: 11D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Window / User API: threadDelayed 2188			Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Window / User API: threadDelayed 7652			Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe TID: 7148	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe TID: 4836	Thread sleep count: 2188 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe TID: 4836	Thread sleep count: 7652 > 30	Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, 00000000.00000002.4279880982.0000000000E46000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, 00000000.00000002.4281796957.000000001B50F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4280447826.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1835826411.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4280447826.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe PID: 6760, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe