MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e
SHA3-384 hash: b7ee435b70009334e160b391256459e09773c6e98703fe5c868e0805d85850742f928416bc9fb0bfa2ee2a7aea238186
SHA1 hash: aa89be5706e274878d0304f931b36f605e7a7b19
MD5 hash: da5e3b74fff72f0e14f29e5b5007ad59
humanhash: papa-wyoming-winter-oxygen
File name:MasonGod.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:449'024 bytes
First seen:2025-05-26 01:12:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:Bm+L1TkOrtomRarRweFvJKpsWyVFd5cdjigTG1bydf83gVPz+15JYJR5n:Bm+RTRKvYKJ5ixeyFvyGJ/
TLSH T1D9A4CF5127E4C92BEABF43B5F5B1122067B8F20B9112EB4A748C16F96B233415D137AF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter BastianHein
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MasonGod.exe
Verdict:
Malicious activity
Analysis date:
2025-05-26 01:14:45 UTC
Tags:
auto-reg auto-sch bdaejec backdoor auto-startup remote xworm
Link:
https://app.any.run/tasks/52814ff2-7d6e-4086-acbc-e1dc0f95719c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.LokiBot-10010685-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6833c1dc668438e362e6dff1
Tags:
agenttesla shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Running batch commands
Creating a file
Creating a process from a recently created file
Launching a process
Creating a window
Changing an executable file
Possible injection to a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Infecting executable files
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmstp control fingerprint lolbin obfuscated packed packed packer_detected reconnaissance remote vbnet
Link:
https://www.filescan.io/uploads/6833c02efd02ed5e0587565c/reports/2ee07652-1ce5-416c-a8ea-a58d8488ceb8/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36d3ab0e-e43b-476d-bec9-491636c47f5b
Result
Threat name:
Babadeda, Bdaejec, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698909
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
Protects its processes via BreakOnTermination flag
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Babadeda
Yara detected Bdaejec
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698909 Sample: MasonGod.exe Startdate: 26/05/2025 Architecture: WINDOWS Score: 100 99 ddos.dnsnb8.net 2->99 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 30 other signatures 2->111 10 wlanext.exe 3 6 2->10         started        14 powershell.exe 2->14         started        16 MasonGod.exe 5 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 83 C:\Users\user\AppData\Roaming\x69s.exe, PE32 10->83 dropped 85 C:\Users\user\AppData\...\x69Install.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Roaming\x69..exe, PE32 10->87 dropped 139 Protects its processes via BreakOnTermination flag 10->139 141 Creates multiple autostart registry keys 10->141 143 Adds a directory exclusion to Windows Defender 10->143 21 x69Install.exe 10->21         started        25 x69..exe 10->25         started        39 5 other processes 10->39 145 Writes to foreign memory regions 14->145 147 Modifies the context of a thread in another process (thread injection) 14->147 149 Injects a PE file into a foreign processes 14->149 27 dllhost.exe 14->27         started        29 conhost.exe 14->29         started        89 C:\Users\user\AppData\Roaming\wlanext.exe, PE32 16->89 dropped 91 C:\Users\user\AppData\...\MasonGod.exe.log, CSV 16->91 dropped 151 Bypasses PowerShell execution policy 16->151 31 cmd.exe 16->31         started        33 powershell.exe 23 16->33         started        35 powershell.exe 23 16->35         started        101 127.0.0.1 unknown unknown 18->101 153 Antivirus detection for dropped file 18->153 155 Multi AV Scanner detection for dropped file 18->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 18->157 37 conhost.exe 18->37         started        file6 signatures7 process8 file9 79 C:\Users\user\AppData\Local\Temp\iyMbXS.exe, PE32 21->79 dropped 113 Antivirus detection for dropped file 21->113 115 Multi AV Scanner detection for dropped file 21->115 41 iyMbXS.exe 21->41         started        81 C:\Users\user\AppData\Local\Temp\...\1248.bat, Unicode 25->81 dropped 117 Detected unpacking (creates a PE file in dynamic memory) 25->117 119 Detected unpacking (overwrites its own PE header) 25->119 46 cmd.exe 25->46         started        121 Contains functionality to inject code into remote processes 27->121 123 Writes to foreign memory regions 27->123 125 Creates a thread in another existing process (thread injection) 27->125 137 2 other signatures 27->137 48 winlogon.exe 27->48 injected 50 lsass.exe 27->50 injected 127 Modifies Windows Defender protection settings 31->127 129 Disables Windows Defender (via service or powershell) 31->129 131 Removes signatures from Windows Defender 31->131 52 conhost.exe 31->52         started        54 timeout.exe 31->54         started        133 Found suspicious powershell code related to unpacking or dynamic code loading 33->133 135 Loading BitLocker PowerShell Module 33->135 56 conhost.exe 33->56         started        58 conhost.exe 35->58         started        60 5 other processes 39->60 signatures10 process11 dnsIp12 103 ddos.dnsnb8.net 3.229.117.57, 49693, 49694, 49695 AMAZON-AESUS United States 41->103 93 C:\Program Files\7-Zip\Uninstall.exe, PE32 41->93 dropped 95 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 41->95 dropped 97 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 41->97 dropped 159 Antivirus detection for dropped file 41->159 161 Multi AV Scanner detection for dropped file 41->161 163 Detected unpacking (changes PE section rights) 41->163 173 2 other signatures 41->173 165 Modifies Windows Defender protection settings 46->165 167 Disables Windows Defender (via service or powershell) 46->167 169 Removes signatures from Windows Defender 46->169 62 powershell.exe 46->62         started        65 conhost.exe 46->65         started        67 MpCmdRun.exe 46->67         started        69 dllhost.exe 48->69         started        171 Writes to foreign memory regions 50->171 file13 signatures14 process15 signatures16 175 Loading BitLocker PowerShell Module 62->175 177 Injects code into the Windows Explorer (explorer.exe) 69->177 179 Writes to foreign memory regions 69->179 181 Creates a thread in another existing process (thread injection) 69->181 183 Injects a PE file into a foreign processes 69->183 71 svchost.exe 69->71 injected 73 dwm.exe 69->73 injected 75 svchost.exe 69->75 injected 77 6 other processes 69->77 process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-05-26 01:13:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jmod6vezo3mhf3nf2m6kx42s7nfdumx7h6zxjmfkpbn2jkbtgpa._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:bdaejec family:xworm aspackv2 backdoor defense_evasion discovery evasion execution persistence privilege_escalation rat trojan
Link:
https://tria.ge/reports/250526-bk51datwfv/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Modifies Security services
ASPack v2.12-2.42
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Sets service image path in registry
Bdaejec
Bdaejec family
Contains code to disable Windows Defender
Detect Xworm Payload
Detects Bdaejec Backdoor.
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Malware Config
C2 Extraction:
art-albany.gl.at.ply.gg:56107
ddos.dnsnb8.net
Verdict:
Malicious
Tags:
Win.Dropper.LokiBot-10010685-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4f4b5754-7a1a-446e-b9aa-92b6e4cf91f0
Unpacked files
SH256 hash:
f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e
MD5 hash:
da5e3b74fff72f0e14f29e5b5007ad59
SHA1 hash:
aa89be5706e274878d0304f931b36f605e7a7b19
Link:
https://www.unpac.me/results/9c18be40-dfe0-4eac-aee2-18475ac96adb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f258e1faa4cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments