Malware Analysis Report

2025-06-15 21:44

Sample ID 230412-zdbpysfa34
Target XWorm-RAT-main (1).zip
SHA256 f0eb7f58edc94075cf2d0567ad4b9c7153f7bdeca5e3537ee88360214f6a9076
Tags
agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0eb7f58edc94075cf2d0567ad4b9c7153f7bdeca5e3537ee88360214f6a9076

Threat Level: Known bad

The file XWorm-RAT-main (1).zip was found to be: Known bad.

Malicious Activity Summary

agilenet

Contains code to disable Windows Defender

Nirsoft

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-12 20:35

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\HVNC-Server.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\HVNC-Server.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\HVNC-Server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
AU 104.46.162.224:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

89s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 34.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 20.42.73.24:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp

Files

memory/3384-133-0x0000000000070000-0x000000000025A000-memory.dmp

memory/3384-134-0x00000000050F0000-0x0000000005694000-memory.dmp

memory/3384-135-0x0000000004C20000-0x0000000004CB2000-memory.dmp

memory/3384-136-0x0000000004D60000-0x0000000004DFC000-memory.dmp

memory/3384-137-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/3384-138-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-139-0x0000000005B20000-0x0000000005B2A000-memory.dmp

memory/3384-140-0x0000000005D60000-0x0000000005F84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/3384-148-0x00000000739E0000-0x0000000073A69000-memory.dmp

memory/3384-149-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-150-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-151-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-152-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-153-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-154-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/3384-155-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:44

Platform

win10v2004-20230221-en

Max time kernel

153s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XWorm-RAT-V2.1-builder.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XWorm-RAT-V2.1-builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XWorm-RAT-V2.1-builder.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\XWorm-RAT-V2.1-builder.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4168 -ip 4168

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4168 -s 1748

Network

Country Destination Domain Proto
RU 193.201.9.43:80 tcp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 8.253.208.120:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 82.135.123.92.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

memory/4168-134-0x000001D2C0FA0000-0x000001D2C12DE000-memory.dmp

memory/4168-135-0x000001D2C2E30000-0x000001D2C2E40000-memory.dmp

memory/4168-136-0x000001D2C2EB0000-0x000001D2C2EBA000-memory.dmp

memory/4168-137-0x000001D2C2E30000-0x000001D2C2E40000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

99s

Max time network

159s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\BlankScreen.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\BlankScreen.dll",#1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

90s

Max time network

116s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Chat.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Chat.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 93.184.220.29:80 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 93.184.220.29:80 tcp
US 131.253.33.203:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa udp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

59s

Max time network

77s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Clipboard.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Clipboard.dll",#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 51.105.71.137:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

77s

Max time network

104s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DicordTokens.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DicordTokens.dll",#1

Network

Country Destination Domain Proto
US 52.242.97.97:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 20.189.173.14:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

87s

Max time network

109s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DisableWD.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DisableWD.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 219.54.22.2.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 95.101.78.82:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

89s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\FileSeacher.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\FileSeacher.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.189.173.11:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 254.138.241.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
SG 8.241.133.126:80 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

114s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\FileZilla.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\FileZilla.dll",#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

79s

Max time network

89s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\uninstall.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\uninstall.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 34.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.42.65.89:443 tcp
NL 8.238.20.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 35.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

113s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Chromium.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Chromium.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 13.89.178.26:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

105s

Max time network

112s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Clipper.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Clipper.dll",#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 34.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

91s

Max time network

144s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Computerdefaults.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Computerdefaults.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

113s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DeletePoints.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DeletePoints.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 2908 -ip 2908

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2908 -s 1772

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 13.89.179.10:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

115s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\ResHacker.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\ResHacker.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\ResHacker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 34.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.189.173.13:443 tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 8.247.211.254:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/688-133-0x0000000002370000-0x0000000002371000-memory.dmp

memory/688-134-0x0000000000400000-0x0000000000502000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:42

Platform

win10v2004-20230220-en

Max time kernel

114s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\vncviewer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\vncviewer.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\vncviewer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
NL 142.250.179.163:443 tcp
NL 216.58.214.10:443 tcp
NL 142.251.36.46:443 tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 224.54.22.2.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 assets.msn.com udp
FR 2.16.11.27:443 assets.msn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 27.11.16.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Tools\options.vnc

MD5 24f5e966d65e79745d3303b950496810
SHA1 76b05ca8cac7a49bec0c413270e4af5ce891dbf9
SHA256 9b7645a27b48ec94958a9a95326860c811b9fb3b9d82901102671e7c64416d3f
SHA512 b77bcc8f62db51c2b120e664d9f78c1896a943d56d4e3fdf7b4520a021458181cf70457ae486b12439905351bac8df875320a02b79b0f8ad4f9eacaa00379c5d

Analysis: behavioral27

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

90s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\dnlib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\dnlib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

111s

Max time network

117s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Cmstp-Bypass.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Cmstp-Bypass.dll",#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 32.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FR 40.79.150.121:443 tcp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:43

Platform

win10v2004-20230221-en

Max time kernel

193s

Max time network

224s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DeleteWD.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\DeleteWD.dll",#1

Network

Country Destination Domain Proto
US 40.77.2.164:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.159.241.8.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 161.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 67.169.210.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

59s

Max time network

87s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\NAudio.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\NAudio.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 34.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

102s

Max time network

116s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\7zip.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\7zip.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.189.173.14:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

97s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\ACTWindows.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\ACTWindows.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 202.77.24.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:42

Platform

win10v2004-20230221-en

Max time kernel

178s

Max time network

177s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\AskUAC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\AskUAC.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.159.241.8.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:41

Platform

win10v2004-20230220-en

Max time kernel

90s

Max time network

95s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Email.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Email.dll",#1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.152.108.96:443 tcp
JP 40.79.189.59:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 194.77.24.184.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 126.155.27.67.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:42

Platform

win10v2004-20230220-en

Max time kernel

92s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Encoder.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\Encoder.dll",#1

Network

Country Destination Domain Proto
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 80.135.123.92.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-04-12 20:35

Reported

2023-04-12 20:42

Platform

win10v2004-20230221-en

Max time kernel

183s

Max time network

194s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\HRDP.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main\XWorm RAT V2.1\Plugins\HRDP.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 117.18.237.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp

Files

N/A