Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:XClient.exe
Analysis ID:1598395
MD5:50ec04534e38d67176441227c05aa05a
SHA1:11d09f5856a6945672b1ea9958564bfb4340afdc
SHA256:a30de15c722fcba44ba069647c3de78dd5d15834ffd9faad60a4569252f495f7
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XClient.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: 50EC04534E38D67176441227C05AA05A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.32.153.7", "127.0.0.1"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x58a9:$str01: $VB$Local_Port
    • 0x589a:$str02: $VB$Local_Host
    • 0x5ba0:$str03: get_Jpeg
    • 0x5552:$str04: get_ServicePack
    • 0x656e:$str05: Select * from AntivirusProduct
    • 0x676c:$str06: PCRestart
    • 0x6780:$str07: shutdown.exe /f /r /t 0
    • 0x6832:$str08: StopReport
    • 0x6808:$str09: StopDDos
    • 0x68fe:$str10: sendPlugin
    • 0x697e:$str11: OfflineKeylogger Not Enabled
    • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
    • 0x6bff:$str13: Content-length: 5235
    XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6b1a:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000001.00000002.3874990132.0000000002501000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: XClient.exe PID: 7444JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.XClient.exe.1d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            1.0.XClient.exe.1d0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x58a9:$str01: $VB$Local_Port
            • 0x589a:$str02: $VB$Local_Host
            • 0x5ba0:$str03: get_Jpeg
            • 0x5552:$str04: get_ServicePack
            • 0x656e:$str05: Select * from AntivirusProduct
            • 0x676c:$str06: PCRestart
            • 0x6780:$str07: shutdown.exe /f /r /t 0
            • 0x6832:$str08: StopReport
            • 0x6808:$str09: StopDDos
            • 0x68fe:$str10: sendPlugin
            • 0x697e:$str11: OfflineKeylogger Not Enabled
            • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
            • 0x6bff:$str13: Content-length: 5235
            1.0.XClient.exe.1d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6b1a:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-24T08:07:30.048531+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:07:30.914465+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:07:41.440706+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:07:52.878086+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:00.916676+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:04.315296+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:15.807958+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:26.393952+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:30.932972+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:31.081945+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:31.183541+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:35.690874+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:39.346581+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:40.660775+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:41.346969+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:41.449047+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:41.879673+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:51.643997+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:51.784513+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:51.886792+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:51.989081+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:52.227779+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:57.597556+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:57.699195+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:00.951253+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:02.675855+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:02.815981+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:06.081686+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:06.940803+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:10.727929+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:22.159749+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:24.177720+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:24.279509+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:24.391060+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:24.698330+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:24.897164+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:29.924908+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:30.027152+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:30.475190+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:30.956257+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:36.003580+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:37.208039+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:48.648184+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:53.019459+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:56.425511+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:58.317527+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:00.954239+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:02.831485+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:02.927095+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:03.028742+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:07.538960+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.065989+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.171349+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.273478+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.441577+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.543429+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:08.645858+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:09.026440+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:19.412216+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:24.456226+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:24.563232+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:26.815862+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:30.050977+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:30.153971+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:30.955623+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:34.393940+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:35.269570+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:35.832229+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:40.237657+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:40.338247+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:45.136024+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:46.818947+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:50.128166+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:50.467909+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:53.504387+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:53.843447+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:53.943622+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:00.503710+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:00.604458+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:00.705749+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:00.956310+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:09.718139+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:10.753351+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:10.847853+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:15.535069+010028528701Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-24T08:07:30.892981+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:07:41.807143+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:07:52.880906+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:04.317034+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:15.810885+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:26.402174+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:31.084029+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:31.185566+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:35.698317+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:39.348766+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:40.662835+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:41.349704+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:41.451163+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:41.885014+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:51.646828+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:51.787072+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:51.889602+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:51.991245+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:52.232094+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:57.599580+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:08:57.710461+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:02.678283+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:02.818076+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:06.087111+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:06.943573+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:10.730277+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:22.162888+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.179903+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.291481+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.393133+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.496484+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.525872+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.598815+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.603790+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.700283+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:24.899682+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:29.927358+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.029480+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.131994+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.137006+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.240102+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.245110+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.250245+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.260101+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.548458+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.570364+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.590873+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.595672+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:30.608668+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:36.005827+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:37.220327+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:48.649873+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:53.025339+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:56.427782+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:09:58.319880+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:02.833989+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:02.929396+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:03.031050+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:07.550886+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.068716+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.173925+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.275119+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.376856+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.443218+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.545778+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.647581+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.821392+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:08.927013+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:09.028395+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:09.141526+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:09.158911+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:19.419014+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.459982+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.568452+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.659861+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.666921+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.760985+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.865688+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.872806+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.970851+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:24.979330+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:26.820528+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:30.053091+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:30.160298+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:30.263254+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:30.268247+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:30.363902+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:34.394768+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:35.277964+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:35.833224+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:40.238561+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:40.339159+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:40.442135+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:40.447111+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:45.139117+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:46.819637+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:50.128813+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:50.468583+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:53.505103+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:53.844107+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:10:53.944466+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:00.504795+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:00.605238+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:00.706565+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:09.726324+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:10.754383+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:10.848682+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:10.951701+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:10.957591+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:11.057507+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:11.066521+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            2025-01-24T08:11:15.536306+010028529231Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-24T08:07:30.914465+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:00.916676+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:08:30.932972+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:00.951253+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:09:30.956257+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:00.954239+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:10:30.955623+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            2025-01-24T08:11:00.956310+010028528741Malware Command and Control Activity Detected45.32.153.77000192.168.2.849706TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-24T08:08:57.419620+010028531931Malware Command and Control Activity Detected192.168.2.84970645.32.153.77000TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: XClient.exeAvira: detected
            Found malware configuration
            Source: XClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["45.32.153.7", "127.0.0.1"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: XClient.exeVirustotal: Detection: 77%Perma Link
            Source: XClient.exeReversingLabs: Detection: 81%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: XClient.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: XClient.exeString decryptor: 45.32.153.7,127.0.0.1
            Source: XClient.exeString decryptor: 7000
            Source: XClient.exeString decryptor: <123456789>
            Source: XClient.exeString decryptor: <Xwormmm>
            Source: XClient.exeString decryptor: XWorm V5.6
            Source: XClient.exeString decryptor: USB.exe
            Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49706 -> 45.32.153.7:7000
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.32.153.7:7000 -> 192.168.2.8:49706
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49706 -> 45.32.153.7:7000
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.32.153.7:7000 -> 192.168.2.8:49706
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49706 -> 45.32.153.7:7000
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 45.32.153.7
            Source: Malware configuration extractorURLs: 127.0.0.1
            Source: global trafficTCP traffic: 192.168.2.8:49706 -> 45.32.153.7:7000
            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: unknownTCP traffic detected without corresponding DNS query: 45.32.153.7
            Source: XClient.exe, 00000001.00000002.3874990132.0000000002501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: XClient.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: XClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\XClient.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\XClient.exeCode function: 1_2_00007FFB4B366CF21_2_00007FFB4B366CF2
            Source: C:\Users\user\Desktop\XClient.exeCode function: 1_2_00007FFB4B365F461_2_00007FFB4B365F46
            Source: C:\Users\user\Desktop\XClient.exeCode function: 1_2_00007FFB4B3622C01_2_00007FFB4B3622C0
            Source: C:\Users\user\Desktop\XClient.exeCode function: 1_2_00007FFB4B36471D1_2_00007FFB4B36471D
            Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: XClient.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: XClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: XClient.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/2
            Source: C:\Users\user\Desktop\XClient.exeMutant created: NULL
            Source: C:\Users\user\Desktop\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\gKaTRNX0dSePJPR6
            Source: XClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: XClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\XClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: XClient.exeVirustotal: Detection: 77%
            Source: XClient.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: XClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: XClient.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: XClient.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: XClient.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 900000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1A500000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 7218Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 2636Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7592Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7596Thread sleep count: 7218 > 30Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7596Thread sleep count: 2636 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: XClient.exe, 00000001.00000002.3874200647.000000000068D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\XClient.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\XClient.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: XClient.exe, 00000001.00000002.3874200647.000000000068D000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000001.00000002.3876738859.000000001B475000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000001.00000002.3874200647.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: XClient.exe, type: SAMPLE
            Source: Yara matchFile source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3874990132.0000000002501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7444, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: XClient.exe, type: SAMPLE
            Source: Yara matchFile source: 1.0.XClient.exe.1d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000000.1423823015.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3874990132.0000000002501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7444, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory232
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing            		NTDS13
            System Information Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.