MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 30 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0
SHA3-384 hash: fb4d9b5dd00b1e06ea01963773b566d271682c90b98e7b06ea75c1ea601b9163d4b5d16ea340ffe7c0f737e191f0518f
SHA1 hash: e199f9dcacb0ecea42206185f45454f2d1b9eaff
MD5 hash: 60b0ab983a31e921ddbc87c0cb3211b5
humanhash: green-oranges-indigo-hotel
File name:60b0ab983a31e921ddbc87c0cb3211b5.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:90'112 bytes
First seen:2025-07-13 23:30:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 1536:JxqjQ+P04wsmJC2u0AkyNJaLvpv6xqyJuFY9Pb6POH:sr85C2MkBvIPJuFY9PSOH
Threatray 823 similar samples on MalwareBazaar
TLSH T102938D44F7D08931D5FE6FFD5C22A2004636BA236D27D79E1DE54A9EAE2B7C00D08396
TrID 82.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win64 Executable (generic) (10522/11/4)
3.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
45.74.15.131:7000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.74.15.131:7000 https://threatfox.abuse.ch/ioc/1556518/

Intelligence

File Origin
# of uploads :
1
# of downloads :
25
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0.exe
Verdict:
Malicious activity
Analysis date:
2025-07-13 23:33:05 UTC
Tags:
neshta auto-reg telegram auto-startup xworm crypto-regex
Link:
https://app.any.run/tasks/c09d9a15-01d2-4fad-86c7-bcc5d3513f61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14133/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Msilzilla-10024501-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Malware.Deepscan-10028866-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687441a0900df8e7f86a7c5f
Tags:
autorun neshta
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a file in the Program Files subdirectories
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm borland_delphi explorer fingerprint lolbin neshta njrat njrat overlay overlay packed rat schtasks telegram virus xworm
Link:
https://www.filescan.io/uploads/687441a196dca665885087e0/reports/b879222f-4950-41ec-bf52-f3059f7db033/overview
Verdict:
Malicious
Labled as:
Neshta.A
Link:
https://www.hybrid-analysis.com/sample/74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/355ac7ef-258b-4aa5-9fe1-b638f261ff8b
Result
Threat name:
Neshta, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1735524
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Neshta
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1735524 Sample: NQpq6R6CsA.exe Startdate: 14/07/2025 Architecture: WINDOWS Score: 100 78 ZULO88.DDNS.NET 2->78 80 api.telegram.org 2->80 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 96 16 other signatures 2->96 10 NQpq6R6CsA.exe 4 2->10         started        14 svchost.com 2->14         started        16 svchost.com 2->16         started        18 2 other processes 2->18 signatures3 92 Uses dynamic DNS services 78->92 94 Uses the Telegram API (likely for C&C communication) 80->94 process4 file5 62 C:\Windows\svchost.com, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\...66Qpq6R6CsA.exe, PE32 10->66 dropped 68 99 other malicious files 10->68 dropped 108 Creates an undocumented autostart registry key 10->108 110 Drops PE files with a suspicious file extension 10->110 112 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->112 114 2 other signatures 10->114 20 NQpq6R6CsA.exe 22 6 10->20         started        25 System32.exe 14->25         started        27 System32.exe 16->27         started        signatures6 process7 dnsIp8 82 ZULO88.DDNS.NET 45.74.15.131, 49723, 7000 TOTAL-SERVER-SOLUTIONSUS United States 20->82 84 api.telegram.org 149.154.167.220, 443, 49722 TELEGRAMRU United Kingdom 20->84 60 C:\Users\user\AppData\Roaming\System32.exe, PE32 20->60 dropped 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->98 100 Protects its processes via BreakOnTermination flag 20->100 102 Drops executables to the windows directory (C:\Windows) and starts them 20->102 104 Adds a directory exclusion to Windows Defender 20->104 29 svchost.com 2 20->29         started        33 svchost.com 20->33         started        35 svchost.com 20->35         started        37 2 other processes 20->37 file9 signatures10 process11 file12 70 C:\Program Files (x86)\...\msedge.exe, PE32 29->70 dropped 72 C:\Program Files (x86)\...\misc.exe, PE32 29->72 dropped 74 C:\Program Files (x86)\...\misc.exe, PE32 29->74 dropped 76 36 other malicious files 29->76 dropped 116 Bypasses PowerShell execution policy 29->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 29->118 120 Adds a directory exclusion to Windows Defender 29->120 122 2 other signatures 29->122 39 powershell.exe 29->39         started        42 powershell.exe 33->42         started        44 powershell.exe 35->44         started        46 powershell.exe 37->46         started        48 schtasks.exe 37->48         started        signatures13 process14 signatures15 106 Loading BitLocker PowerShell Module 39->106 50 conhost.exe 39->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 48->58         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0
Verdict:
inconclusive
YARA:
8 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/60b0ab983a31e921ddbc87c0cb3211b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0/
Verdict:
Malicious
Threat:
Win32.Backdoor.AsyncRAT
Link:
https://tip.neiki.dev/file/74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2025-07-10 20:06:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=or2axc5zx4m4txg7wvieehgh3figktk2ir7vcld5cmtzthrr6dia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
neshta
Create hunting rule
Similar samples:
2e4a90a846b50975951daabfde4788fd6591bb2969ed279ab71efbe302815cb7
XWorm
39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997
XWorm
395e66284f277aa45fa7b25c1273e7839f12523e1694cd38cf66f926f50ce1a0
XWorm
5b184001611e475060b85f26e4e6798f8ede95d70e3c816b0486ead3e9bcf500
XWorm
c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f
XWorm
da385d82e6fc38fd3304d0d875b01f1967b7eee975d9f92d06f750d05e7ebfba
XWorm
de0a2dcaa49ec8c9d12289e7eb13b4a3bbf958050ad2aeb42f1dbfab9a1f255d
XWorm
ee3d3e0d8a196911117148b3cc2fc93ed6ae1e3afbdc3031e4ffa727a98ff83d
XWorm
error
XWorm
f43815dc58586fdf0bbe3cb3e2c06e48285507524cdcabdd857f0a6ff49fec4b
XWorm
+ 813 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xworm discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250713-3heh7acl51/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies system executable filetype association
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Neshta payload
Detect Xworm Payload
Neshta
Neshta family
Xworm
Xworm family
Malware Config
C2 Extraction:
ZULO88.DDNS.NET:7000
Verdict:
Malicious
Tags:
rat xworm trojan neshta Win.Trojan.Neshuta-1
YARA:
win_mal_XWorm MALWARE_Win_XWorm EXE_Virus_Neshta_March2024 Windows_Generic_Threat_b509dfc8 Windows_Virus_Neshta_2a5a14c8 MAL_Neshta_Generic MALWARE_Win_Neshta MAL_Malware_Imphash_Mar23_1
Link:
https://app.threat.zone/submission/f409e37e-1f46-48a8-ba4d-ca53eaaa2350
Unpacked files
SH256 hash:
74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0
MD5 hash:
60b0ab983a31e921ddbc87c0cb3211b5
SHA1 hash:
e199f9dcacb0ecea42206185f45454f2d1b9eaff
Detections:
win_neshta_auto
Create hunting rule
win_xworm_w0
Create hunting rule
win_neshta_g0
Create hunting rule
Neshta
Create hunting rule
Link:
https://www.unpac.me/results/5f07f1fb-b91e-4459-970c-7504be6082e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74740b8bb9bf19c9dcdfb550421cc7d950654d5a447f512c7d1327999e31f0d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:EXE_Virus_Neshta_March2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:neshta_v1
Create hunting rule
Author:RandomMalware
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Generic_Threat_b509dfc8
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:Windows_Virus_Neshta_2a5a14c8
Create hunting rule
Author:Elastic Security
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14133/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments