MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce
SHA3-384 hash:	42a1c198141da347656a0dbb08f44d01643704f744dbb2402d80ebad4f679c63ec4cb48cbafceb27a011d4027d8879d2
SHA1 hash:	98ce49eae7b94157fc3c5fc4aa0baa3ec5e0f844
MD5 hash:	34a3c2fd798ecb47bcaa8e800d97a88b
humanhash:	happy-floor-zulu-mountain
File name:	stub.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	274'432 bytes
First seen:	2025-08-23 07:02:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3eaa16728a854711f996f462036af178 (1 x XWorm)
ssdeep	6144:qcbu7UxG1buIPMDWXZ2e/D/y+JfBFWUTUTBKC:qcbgLbuIPMD9OTLfBFWUTUTw
TLSH	T1CD44CF5AB3A605F8ED76C17CC9910946D625BC060750DEDF47A44AA72F23BE08D3EBA0
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

stub.exe

Verdict:

Malicious activity

Analysis date:

2025-08-22 23:49:51 UTC

Tags:

phishing xworm

Link:

https://app.any.run/tasks/3bbe6c97-d3ef-4737-b80e-bffa00536b0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/23125/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a9678de9d9dbcfd96d3298

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a process with a hidden window

Sending a custom TCP request

Creating a file

Launching a process

Creating a window

Connection attempt to an infection source

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Query of malicious DNS domain

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm microsoft_visual_cc

Link:

https://www.filescan.io/uploads/68a967904a87ed796768ef52/reports/14e2a360-6e78-4b45-bf09-5890eb649dee/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-08-22T22:08:00Z UTC

Last seen:

2025-08-22T22:08:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.a Backdoor.MSIL.XWorm.c Trojan.Win64.Agentb.sb Trojan.Agent.UDP.C&C PDM:Trojan.Win32.Tasker.cust HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.eko Trojan.VBKrypt.UDP.ServerRequest HEUR:Backdoor.MSIL.XClient.b Backdoor.MSIL.Agent.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Backdoor.MSIL.XWorm.b Trojan.Win64.DonutInjector.sb

Link:

https://opentip.kaspersky.com/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db26c426-1d84-4119-86ab-1e3a1ce8d957

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/34a3c2fd798ecb47bcaa8e800d97a88b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-23 02:51:30 UTC

File Type:

PE+ (Exe)

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wghdj2nollr5p7pccxeaig5digogehlydbk2rfmwxyynuxaa3ha._file

Verdict:

malicious

Label(s):

donut_injector

xworm

Similar samples:

error

XWorm

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm defense_evasion execution persistence rat trojan

Link:

https://tria.ge/reports/250823-ht24eatjw6/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

92.108.104.148:4444
melolz.3utilities.com:4444
unit-consultancy.gl.at.ply.gg:4444

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7d648cc2-9410-4dc0-b8ce-d6ca708da74b

Unpacked files

SH256 hash:

f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce

MD5 hash:

34a3c2fd798ecb47bcaa8e800d97a88b

SHA1 hash:

98ce49eae7b94157fc3c5fc4aa0baa3ec5e0f844

Link:

https://www.unpac.me/results/4abeb589-d045-4096-aa0a-9c7b2a4e0418/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f58c71a74d72/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f58c71a74d72d71ebfef10ae4020dd1a0ce310ebc0c2ad44acb5f186d2e006ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23125/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample