Malware Analysis Report

2025-05-28 16:50

Sample ID 250118-zf7keavlaq
Target XWorm V5.0.rar
SHA256 d4d60f2b5700a42ce59b0c449fe44532d08c81bc0aa1a68fd9f93eef1f42d4f7
Tags
redline agilenet discovery infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4d60f2b5700a42ce59b0c449fe44532d08c81bc0aa1a68fd9f93eef1f42d4f7

Threat Level: Known bad

The file XWorm V5.0.rar was found to be: Known bad.

Malicious Activity Summary

redline agilenet discovery infostealer

Redline family

RedLine

RedLine payload

Contains code to disable Windows Defender

Loads dropped DLL

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-18 20:40

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-18 20:40

Reported

2025-01-18 20:41

Platform

win11-20241007-en

Max time kernel

29s

Max time network

29s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.rar"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm V5.0\crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm V5.0\crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm V5.0\crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\XWorm V5.0\crack.exe

"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"

C:\Users\Admin\Desktop\XWorm V5.0\crack.exe

"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"

C:\Users\Admin\Desktop\XWorm V5.0\crack.exe

"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"

C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe

"C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"

C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe

"C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2572 -ip 2572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 896

Network

Country Destination Domain Proto
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 45.15.156.127:23000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE8A15FAF7\XWorm V5.0\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\Desktop\XWorm V5.0\crack.exe

MD5 e5fb57e8214483fd395bd431cb3d1c4b
SHA1 60e22fc9e0068c8156462f003760efdcac82766b
SHA256 e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512 dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

memory/4160-158-0x0000000001620000-0x0000000001676000-memory.dmp

memory/4160-162-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/4160-163-0x00000000746A0000-0x0000000074E51000-memory.dmp

memory/4160-164-0x0000000006170000-0x0000000006788000-memory.dmp

memory/4160-165-0x0000000005B80000-0x0000000005B92000-memory.dmp

memory/4160-166-0x0000000005CB0000-0x0000000005DBA000-memory.dmp

memory/4160-167-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

memory/4160-168-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/4692-170-0x0000000001030000-0x0000000001086000-memory.dmp

memory/3288-175-0x00000000011C0000-0x0000000001216000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe

MD5 5c945d21d2c9fe2586f55d4b69f14d9c
SHA1 40b4b68f56abcf112eed0af86891839fc13ee94c
SHA256 765fc3f5d7ca205f45e8f64f16e4157af78c5105f849afd8d896fbe7671d036f
SHA512 83be65f24f3bbc3b21217f5de32dc5d2768bd6763bd7e209be47f41cdb2594e8279b7202458eff57b3d70d02f065a8813da3d1f9d72195856873aafdb2ff995b

memory/4160-182-0x00000000746AE000-0x00000000746AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe

MD5 227494b22a4ee99f48a269c362fd5f19
SHA1 d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA256 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA512 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

memory/2532-201-0x0000000000400000-0x0000000000F17000-memory.dmp

memory/3496-202-0x0000000001240000-0x0000000001296000-memory.dmp

memory/4192-206-0x0000020EE9AF0000-0x0000020EEA562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

MD5 a239b7cac8be034a23e7e231d3bcc6df
SHA1 ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512 c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

memory/4160-214-0x00000000746A0000-0x0000000074E51000-memory.dmp

memory/4192-215-0x0000020EED410000-0x0000020EEDFC6000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe

MD5 e8e0065b1cade61de10069945bd335fa
SHA1 5076539e3ff6c7daa4af5c5abce274e3d8efb1d6
SHA256 498063df1a178cf85f89062cdeca2a8f26cd93ff90d246e027d58f8972868303
SHA512 b89dee4c730480e9283759ec94e2d58c76e187e914af6382b1c630a549546bf979c1f36d751e51d32f6fc3468a382ac92a0947e05eb0f7f187b341b2d9f908cb

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

MD5 39d81ca537ceb52632fbb2e975c3ee2f
SHA1 0a3814bd3ccea28b144983daab277d72313524e4
SHA256 76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA512 18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

memory/3824-228-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2572-230-0x00000000003D0000-0x00000000003EE000-memory.dmp