Try VMRay Platform
Malicious
Classifications

Keylogger Spyware

Threat Names

XWorm Mal/Generic-S

Dynamic Analysis Report

Created on 2024-11-30T08:14:58+00:00

test.exe

Windows Exe (x86-32)
...
Filters:
File Name Category Type Verdict Actions
C:\Users\OqXZRaykm\AppData\Roaming\XClient.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\OqXZRaykm\Desktop\test.exe (VM File, Accessed File, Sample File)
MIME Type application/vnd.microsoft.portable-executable
File Size 223.00 KB
MD5 a28b592e08b8269273c28c042e82f795 Copy to Clipboard
SHA1 0dbf6e02a3e42718aefab52ed53aa5b1f00b6c3c Copy to Clipboard
SHA256 26b89290b418a47b12525421495647ff1e560f4af6d95459c3718d055f143cff Copy to Clipboard
SSDeep 6144:LAVdUOdPbwGUhcX7elbKTua9bfF/H9d9n:LAVdU1G3X3u+ Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0040FA1E
Size Of Code 0x0000DC00
Size Of Initialized Data 0x00029E00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2024-08-22 07:38 (UTC)
Version Information (9)
»
CompanyName Telegram FZ-LLC
FileDescription Telegram Desktop
FileVersion 5.3.1.0
InternalName test.exe
LegalCopyright Copyright (C) 2014-2024
OriginalFilename test.exe
ProductName Telegram Desktop
ProductVersion 5.3.1.0
Assembly Version 5.3.1.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0000DA24 0x0000DC00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.08
.rsrc 0x00410000 0x00029A06 0x00029C00 0x0000DE00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.08
.reloc 0x0043A000 0x0000000C 0x00000200 0x00037A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0000F9F8 0x0000DBF8 0x00000000
Memory Dumps (8)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
test.exe 1 0x00010000 0x0004BFFF Relevant Image False 64-bit - False
...
buffer 1 0x1B518000 0x1B51FFFF First Network Behavior False 64-bit - False
...
buffer 1 0x1B41A000 0x1B41FFFF First Network Behavior False 64-bit - False
...
buffer 1 0x1B315000 0x1B31FFFF First Network Behavior False 64-bit - False
...
buffer 1 0x1A61D000 0x1A61FFFF First Network Behavior False 64-bit - False
...
buffer 1 0x00181000 0x0018FFFF First Network Behavior False 64-bit - False
...
test.exe 1 0x00010000 0x0004BFFF First Network Behavior False 64-bit - False
...
test.exe 1 0x00010000 0x0004BFFF Final Dump False 64-bit - False
...
YARA Matches (2)
»
Rule Name Rule Description Classification Score Actions
XWorm_Strings XWorm strings Spyware
5/5
...
XWorm_Decryption_Routine XWorm decryption routine Spyware
5/5
...
C:\Users\OqXZRaykm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Dropped File Shortcut
Clean
...
»
MIME Type application/x-ms-shortcut
File Size 774 Bytes
MD5 5dfef4e6db40c355065b229479ecaac5 Copy to Clipboard
SHA1 ae23d496d6816a6dfd1d53e512c9bbd0d3b92fce Copy to Clipboard
SHA256 c5460f044672d9f6e7cf925077e6071dd450389d630cb9c2b3856582f898bf59 Copy to Clipboard
SSDeep 12:8XHBz24ajDT3oCskHY//GcLe8D839je2t1PNHkk/yCEhGmb:83BvIDboK49J8pNPCnGm Copy to Clipboard
ImpHash -
4d830c2921ca9d1408dd409571f74a072c9bfb473f7d03bfb1a83a79ec1d9a63 Extracted File Image
Clean
...
»
Parent File C:\Users\OqXZRaykm\AppData\Roaming\XClient.exe
MIME Type image/png
File Size 67.38 KB
MD5 b0568908ac8c5861e6f7df216a8b42a8 Copy to Clipboard
SHA1 f988edfa2e2298ca3b55d2cde5209552feadc608 Copy to Clipboard
SHA256 4d830c2921ca9d1408dd409571f74a072c9bfb473f7d03bfb1a83a79ec1d9a63 Copy to Clipboard
SSDeep 1536:27693CKf8sl1ouc3K/8Z1Xt5esA7/jRs7bz8KWKmMuA:U8SKfbzxcwg7es6/Vsb8VKTuA Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image