MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89
SHA3-384 hash:	9bda90e45abef146dc26c17b6c163fb3310505c3103cf4deaf28f52629814e6677932af67194ffd05a456a638d804aaa
SHA1 hash:	a6c0b5a4bb43b1ecee50731271b6723d8d2557da
MD5 hash:	b10f627f6ec9ca74c33bb45675167bd6
humanhash:	kansas-ink-snake-hamper
File name:	SliceR Team.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	3'891'200 bytes
First seen:	2025-08-13 06:14:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep	98304:MXMRnHMMMrrrrrrrrrrrkWWWWWWWWWWWWWWggggggggggggIBRS3:MX8HMMMrrrrrrrrrrrkWWWWWWWWWWWWU
Threatray	1'404 similar samples on MalwareBazaar
TLSH	T1C40685D231EA564DF1783732BD9D0E0EDC6D9FF447233AB2B25A163A0872519532E8C6
TrID	38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 11.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	e5f0d9c158ac860b (1 x XWorm)
Reporter	AntiSkidding
Tags:	dropper exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89.exe

Verdict:

Malicious activity

Analysis date:

2025-08-13 06:16:12 UTC

Tags:

evasion pastebin auto-startup telegram xworm crypto-regex auto-reg remote ims-api generic susp-powershell

Link:

https://app.any.run/tasks/f92db565-233d-4a16-bd15-77996c50b4d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/21047/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689c2d88642b4839d1b5ae81

Tags:

asyncrat autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Searching for synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/689c2d819ef4d2ff7cf9d62a/reports/2dd97f46-aa3b-4283-b91a-79b974c226cd/overview

Verdict:

Malicious

Labled as:

FakeAlert.Generic

Link:

https://www.hybrid-analysis.com/sample/4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9aead64-d0a3-4aae-8970-ff62f7095fab

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/b10f627f6ec9ca74c33bb45675167bd6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

Threat name:

Win32.Dropper.Dapato

Status:

Malicious

First seen:

2025-08-13 06:15:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jrh6sxhw3gwfvr46ytnkktsbrd7dgrqllcigv2n7ubxxdchcxkeq._file

Verdict:

malicious

Label(s):

xworm

XWorm

415abd7fb89262dc08b47ed0e322ba556b764f331d33e6b96da9aa3bd16c985b

XWorm

4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

XWorm

c91fec2baba671461bc033211721c140d0337eaaa0a83092b4d83bab2f9f9805

XWorm

error

XWorm

fd72e76aa2d5edb9c2e25b62e1bd3c348c13951b4524d21369920b79d79460e2

XWorm

+ 1'394 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:gurcu family:xworm defense_evasion discovery execution persistence rat stealer trojan

Link:

https://tria.ge/reports/250813-gz6hcaspt4/

Behaviour

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Looks up external IP address via web service

Obfuscated Files or Information: Command Obfuscation

Checks computer location settings

Drops startup file

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Gurcu family

Gurcu, WhiteSnake

Xworm

Xworm family

Malware Config

C2 Extraction:

165.154.184.65:443
https://api.telegram.org/bot7620896360:AAESO3asmdI2KcyOHYP43QyfZ-A3eKhKWnw/sendMessage?chat_id=7324836948

Verdict:

Malicious

Tags:

External_IP_Lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/97b1e282-3fbd-4dc4-8941-f3b61abe382f

Unpacked files

SH256 hash:

4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

MD5 hash:

b10f627f6ec9ca74c33bb45675167bd6

SHA1 hash:

a6c0b5a4bb43b1ecee50731271b6723d8d2557da

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

dbe2866d154264a484f1135f06d479ea959851b25c0a3396dbb0ccae13b3c877

MD5 hash:

d20c5538f32bd6045f3c19aef86f5238

SHA1 hash:

105ef994c15c4321a2d112ea262b8e7b6ec928d0

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

9bb89d3590c00db39a05b526327c5d345206e7623eda8a72f085fe7177cf910d

MD5 hash:

e77ab8b73b5b87daddd44ebd7d7b8a92

SHA1 hash:

79bf9605efbd950b21770746bc5ac3978b0746c0

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

6b618e807f96c6ff4e2083934712db603beeb416baf55b546ac6187b37c9a355

MD5 hash:

5baf621b92b0327e3b0052241d7d8872

SHA1 hash:

df3a2332b268ca5246f9182ad1d35a67bedaec7c

Detections:

win_xworm_w0

XWorm

win_xworm_bytestring

win_xworm_simple_strings

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

Parent samples :

6b618e807f96c6ff4e2083934712db603beeb416baf55b546ac6187b37c9a355
4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

SH256 hash:

6a6efa754ef4e5debaf77dd8b55ecb0bbefd8db0a0e848477c5c9640d5c5b7c6

MD5 hash:

db9178b713240d19876e6e8e5dea8125

SHA1 hash:

372622fd2a0111c773e5f05c1de6139dd2dc8093

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

ed12da46f90bf4df36d22755afcd63ffaaddc6e673aedd072c97c39dc740af56

MD5 hash:

9d9c840f89afea341648126cb07f621d

SHA1 hash:

5bd6ab725243c4d7a37742130f1e4f1ecbc6cf7e

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

68ef7ed155d5fd818b8ac1c0bda3c919cb2847ecda3487fc3259b676c14ab5ea

MD5 hash:

49a6c1c680a973e3ffd4ecfb3d53ce2a

SHA1 hash:

6d2429969358e199410e0a8163bd042430e75a06

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

2d110d346b4044de8ce4c8695c3eaa6fc5f22dd24001606ac14b3b8b0b104702

MD5 hash:

44dba589cf8e9277a3dd98889943a589

SHA1 hash:

91929e9ad1f7e6ba9865056b3163cfb267527072

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

670baaf0c9ffd9e1eb90c8df15bf4ba9287a4a611b74997171711c5298a4c636

MD5 hash:

fe0ebe558fdf6c824b0a27a53e602d68

SHA1 hash:

971610898482ae9704c9010966f04f71c97deb71

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

88a274a7f45b157b71219448731bda4fbed439a929684b5b7a5e50f4f905a999

MD5 hash:

ec684886d5457e98eaf3d54b0605a1d0

SHA1 hash:

c0844e580243d293c18e7377541bf912bedaee5b

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

ee4da3a5d8c9bc9d9b62a48292746eb542da1e021c0f693efd827b57a2cc1322

MD5 hash:

cb3b3ed8e3914e516f4ee462d22d78f1

SHA1 hash:

ea23a735c0a85e2bdb9c30e940c3bed1d43056d8

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

SH256 hash:

34a44ed88971cd4745d0c90e1766d9960e967fbeea316d86bd972cd6d8a5b5d0

MD5 hash:

a5518b9088b8a69e1bdfb92a69d7b9dc

SHA1 hash:

fc96e748a40090c88cfc0fb59d6cb504a97a6cfe

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/c87027d2-dfae-4118-89ec-03fc24b22558/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c4fe95cf6d9ac5ac79ec4daa54e4188fe33460b58906ae9bfa06f7188e2ba89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21047/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample