MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd
SHA3-384 hash: 17e5a26ade66f96538b902b654fae2d3d30883f94a9f54433f14a7a2e333d565367c91d419251701a840f68613e5ad42
SHA1 hash: 4e5757d543530d703c092c628b25ee6f9e71a32c
MD5 hash: 8d6bd132b879cd1e447345e6675928b4
humanhash: paris-river-nine-alaska
File name:SquadX_Loader.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:8'552'448 bytes
First seen:2025-08-05 03:44:56 UTC
Last seen:2025-08-05 10:17:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 98304:uzlEk/4OElKMVWka8bYPX43pbuFvVKbBqvi4+wW7dE6RILH:iaSREoMVza8bYPXCbuFd8IpWq
Threatray 8 similar samples on MalwareBazaar
TLSH T1B0863318BEC82C07DC0696B060D94AAF384CEE5557042D60F67577E8DEB68E3E1F990E
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 8696e0d4d4e89686 (1 x XWorm)
Reporter Vip5676
Tags:exe xworm

Intelligence

File Origin
# of uploads :
4
# of downloads :
50
Origin country :
UA UA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SquadX_Loader.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 03:45:54 UTC
Tags:
github evasion stealer telegram exfiltration ims-api generic auto-reg auto-startup remote xworm
Link:
https://app.any.run/tasks/b5bc1439-3093-4f13-9bb5-b22494a0deb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18928/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68917e67af3050dc8d346e1b
Tags:
vmprotect asyncrat lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Creating a file
Searching for the window
Creating a process with a hidden window
Changing a file
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Moving a recently created file
Replacing files
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
fasm
Link:
https://www.filescan.io/uploads/68917e6332e61090868d706b/reports/16cf0444-71ef-424f-8f4f-1875cfe1f1a0/overview
Verdict:
Malicious
Labled as:
ExNuma.Generic
Link:
https://www.hybrid-analysis.com/sample/4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56ae719d-b238-40c3-afee-280c0e4c03f1
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/8d6bd132b879cd1e447345e6675928b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 03:45:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3oaqwciyit4gcyaekri55ifjqm6mdxtb326pbkk2kxssjtnrpoq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
pulsepack
Create hunting rule
phemedronestealer
Create hunting rule
Similar samples:
25c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc
XWorm
6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4
XWorm
9532da1ac8144527881a637d924690f88bbf891a93e553e1ca498690b54f0ea4
XWorm
eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058
XWorm
error
XWorm
f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:phemedrone family:xworm credential_access discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250805-ebdfjsek4v/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Phemedrone
Phemedrone family
Xworm
Xworm family
Malware Config
C2 Extraction:
92.113.146.251:9944
https://api.telegram.org/bot8284420386:AAH2eqWIgZglNbjoPm1jseKZ-_RRn_-eWZA/sendMessage?chat_id=5695636067
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/19f53707-541f-4299-a464-8a47197b1c17
Unpacked files
SH256 hash:
4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd
MD5 hash:
8d6bd132b879cd1e447345e6675928b4
SHA1 hash:
4e5757d543530d703c092c628b25ee6f9e71a32c
Link:
https://www.unpac.me/results/ffcaabd4-88aa-4049-90f6-fcc84ded398f/
SH256 hash:
9b1a888f21487044f4af4c555863def639ac8bb5bfbe22d36d0a7dbba8bc3dd9
MD5 hash:
b36d719b3ac8f10f64c9a4db0e216267
SHA1 hash:
6f2948d51be150b27a92e0fa32eb0a735103f3d4
Link:
https://www.unpac.me/results/ffcaabd4-88aa-4049-90f6-fcc84ded398f/
SH256 hash:
493ae3d3a335763e7f11a545e2f355f2b6f8f2a720c6914cc4fa4f561ebfec9b
MD5 hash:
9bb9456b77cae2cbcd6594fbd3ce40ed
SHA1 hash:
1cfad0d4b97d7d3a0bdfa01016155ff1d3f69fcd
Link:
https://www.unpac.me/results/ffcaabd4-88aa-4049-90f6-fcc84ded398f/
Malware family:
Phemedrone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4edc085848c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18928/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocExNuma
kernel32.dll::CreateThread
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA

Comments