Malware Analysis Report

2024-10-18 21:30

Sample ID 240808-w5d3ls1clh
Target XWorm v5.1-5.2.7z
SHA256 fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
Tags
agilenet agenttesla stormkitty
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

Threat Level: Known bad

The file XWorm v5.1-5.2.7z was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla stormkitty

StormKitty payload

Stormkitty family

AgentTesla payload

Agenttesla family

Contains code to disable Windows Defender

Obfuscated with Agile.Net obfuscator

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-08 18:30

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:27

Platform

win11-20240802-en

Max time kernel

1470s

Max time network

1489s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Mdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Mdb.dll",#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:30

Platform

win11-20240802-en

Max time kernel

1475s

Max time network

1492s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.ILHelpers.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.ILHelpers.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:32

Platform

win11-20240802-en

Max time kernel

1475s

Max time network

1487s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Iced.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Iced.dll",#1

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:37

Platform

win11-20240802-en

Max time kernel

1468s

Max time network

1493s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Utils.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Utils.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 21:02

Platform

win11-20240802-en

Max time kernel

1399s

Max time network

1163s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Programs.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Programs.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 21:00

Platform

win11-20240802-en

Max time kernel

1476s

Max time network

1495s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ProcessManager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ProcessManager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:28

Platform

win11-20240802-en

Max time kernel

1368s

Max time network

1155s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Rocks.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:37

Platform

win11-20240802-en

Max time kernel

1472s

Max time network

1498s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ActiveWindows.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\ActiveWindows.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:57

Platform

win11-20240802-en

Max time kernel

1469s

Max time network

1488s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileSeacher.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileSeacher.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:58

Platform

win11-20240802-en

Max time kernel

1467s

Max time network

1486s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HRDP.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HRDP.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:00

Platform

win11-20240802-en

Max time kernel

1480s

Max time network

1498s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Maps.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Maps.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:07

Platform

win11-20240802-en

Max time kernel

1463s

Max time network

1486s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Performance.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Performance.dll",#1

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:27

Platform

win11-20240802-en

Max time kernel

1437s

Max time network

1463s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.Pdb.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:28

Platform

win11-20240802-en

Max time kernel

1361s

Max time network

1149s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Backports.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Backports.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:59

Platform

win11-20240802-en

Max time kernel

1477s

Max time network

1496s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Informations.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Informations.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:07

Platform

win11-20240802-en

Max time kernel

1469s

Max time network

1495s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Options.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Options.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:57

Platform

win11-20240802-en

Max time kernel

1465s

Max time network

1484s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Cmstp-Bypass.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Cmstp-Bypass.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:58

Platform

win11-20240802-en

Max time kernel

1477s

Max time network

1491s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNCMemory.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNCMemory.dll",#1

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:02

Platform

win11-20240802-en

Max time kernel

1468s

Max time network

1492s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Microphone.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Microphone.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:29

Platform

win11-20240802-en

Max time kernel

1463s

Max time network

1489s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Core.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\MonoMod.Core.dll",#1

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:37

Platform

win11-20240802-en

Max time kernel

1476s

Max time network

1493s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Newtonsoft.Json.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:37

Platform

win11-20240802-en

Max time kernel

1463s

Max time network

1488s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\All-In-One.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\All-In-One.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:57

Platform

win11-20240802-en

Max time kernel

1355s

Max time network

1150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Chat.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Chat.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:00

Platform

win11-20240802-en

Max time kernel

1467s

Max time network

1492s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Keylogger.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Keylogger.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:07

Platform

win11-20240802-en

Max time kernel

1470s

Max time network

1496s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Ngrok-Disk.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Ngrok-Disk.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:07

Platform

win11-20240802-en

Max time kernel

1470s

Max time network

1492s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Pastime.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Pastime.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:28

Platform

win11-20240802-en

Max time kernel

1480s

Max time network

1504s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Mono.Cecil.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:37

Platform

win11-20240802-en

Max time kernel

1392s

Max time network

1150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\NAudio.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\NAudio.dll",#1

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:57

Platform

win11-20240802-en

Max time kernel

1476s

Max time network

1493s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Clipboard.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\Clipboard.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:57

Platform

win11-20240802-en

Max time kernel

1395s

Max time network

1162s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileManager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\FileManager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 19:58

Platform

win11-20240802-en

Max time kernel

1475s

Max time network

1492s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\HVNC.dll",#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-08 18:29

Reported

2024-08-08 20:02

Platform

win11-20240802-en

Max time kernel

1397s

Max time network

1157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\MessageBox.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm V5.1\Plugins\MessageBox.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A