MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
SHA3-384 hash: eb84a66f6194af046cf0f14f308c6164fac70d43def3a4a6ac6e37925ec863bdefaa18d708b4603f5e2b74dd6d7b0219
SHA1 hash: 82e6cf2872af4879277ce900d278a9f6b6288954
MD5 hash: 269ef1b92dbbb2007eb138288de26c54
humanhash: south-connecticut-enemy-sad
File name:Crespo_Loader.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:2'036'736 bytes
First seen:2025-08-05 02:51:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 24576:Wgklx7tS5R/+Bt8N86UXIaJan5ObQMVg77XGywVP4msfx1pUcNMdTzRcBAYDSF1F:ylx7k/mt8NSJapIg7y4bNucm4aAdFD
TLSH T14C95332176B0EC5DD381CD70E6B28D3605373DD81D301993667A7FAE7ADB29ADA0C211
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 988ee37963c7dec8 (1 x XWorm)
Reporter Vip5676
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
UA UA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Crespo_Loader.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 02:51:55 UTC
Tags:
github loader evasion stealer telegram exfiltration confuser auto-startup auto-reg xworm
Link:
https://app.any.run/tasks/ef9a6541-07bf-4b63-9289-e4f3616f950e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18920/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689171cbaf3050dc8d346c90
Tags:
vmprotect asyncrat emotet lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Searching for synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
ExNuma.Generic
Link:
https://www.hybrid-analysis.com/sample/f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8cda6ec2-5e3f-4e28-a214-ad46240efd59
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/269ef1b92dbbb2007eb138288de26c54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 02:51:57 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64tvwjgba22rf25ukifia5dnwigx2yxd2ildaov7vo4kdufswrsq._file
Verdict:
malicious
Label(s):
pulsepack
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:phemedrone family:xworm credential_access discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250805-dcw4lsdp3y/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Phemedrone
Phemedrone family
Xworm
Xworm family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8284420386:AAH2eqWIgZglNbjoPm1jseKZ-_RRn_-eWZA/sendMessage?chat_id=5695636067
92.113.146.251:9944
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e486e415-39e7-4b60-88ae-284d0ee5d1d6
Unpacked files
SH256 hash:
f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465
MD5 hash:
269ef1b92dbbb2007eb138288de26c54
SHA1 hash:
82e6cf2872af4879277ce900d278a9f6b6288954
Link:
https://www.unpac.me/results/824ebf33-c555-4dd2-a29b-c0461eac6859/
SH256 hash:
c4117a23403835d3d9814cd962d9ef5f56dbd293cfa8be45b91f0c520f3c49dc
MD5 hash:
d1b3a4a2636db54d6f6497734f0c0cea
SHA1 hash:
befab3f85ee9253192761afcfd380f556dcefb7b
Link:
https://www.unpac.me/results/824ebf33-c555-4dd2-a29b-c0461eac6859/
SH256 hash:
fac634a64d7b1f66ec6ecef785a191003816a98d573f799d16610c4160dc3ce9
MD5 hash:
538617b8067df6debf35427aea757108
SHA1 hash:
d498850793564f74efb5585fd52f96e805ee36c4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/824ebf33-c555-4dd2-a29b-c0461eac6859/
SH256 hash:
e21316dc2729fbc24118556c4a298655d84ffe629f2dec6aa84d0c248a4ca68d
MD5 hash:
994da95d49806376e89e6b11ab01ec73
SHA1 hash:
a2a64db0471f77b8c8ea1c6ff6c228d557e422ac
Link:
https://www.unpac.me/results/824ebf33-c555-4dd2-a29b-c0461eac6859/
SH256 hash:
6d5f0bc97318cbc7ed08ee1583bf6b5ba974c8f8a7255f519107a0e68d70ac9b
MD5 hash:
46cea23378b60820f52d1777693ffc33
SHA1 hash:
5eac268233bd0ee8c33034416e69a535545e9b2d
Link:
https://www.unpac.me/results/824ebf33-c555-4dd2-a29b-c0461eac6859/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7275b24c106/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18920/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocExNuma
kernel32.dll::CreateThread
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA

Comments