MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 12 File information Comments

SHA256 hash:	010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01
SHA3-384 hash:	2bb981bf814d049b2aff204072012b9749bb3ef9a650b2351afc096228acd2563e5544e3ee4b49696824c4cad9912a82
SHA1 hash:	ca5de747a982e6486d7568906eb93a979832d482
MD5 hash:	16e06d92b404204bc674a5379bceb823
humanhash:	sink-salami-chicken-gee
File name:	16E06D92B404204BC674A5379BCEB823.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	627'208 bytes
First seen:	2025-09-27 12:45:10 UTC
Last seen:	2025-10-09 14:59:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:bdhqhqhqYLkrwj9o6ZS1oXGsDy3dt2T6PCcFzhzkR:bdhqhqh5Lkrw/Z8uyr66Rzhm
Threatray	254 similar samples on MalwareBazaar
TLSH	T1AFD4F1953269EC03C6A55FF40834E7BA07B98D5CE815E2D75EFBECEB7898B402900257
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	abuse_ch
Tags:	exe xworm

abuse_ch

XWorm C2:
91.92.240.130:6000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.92.240.130:6000	https://threatfox.abuse.ch/ioc/1602776/

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

16E06D92B404204BC674A5379BCEB823.exe

Verdict:

Malicious activity

Analysis date:

2025-09-27 12:47:13 UTC

Tags:

auto-sch-xml remote xworm

Link:

https://app.any.run/tasks/edaf156e-d688-4d7a-b90a-3cc372c69678

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/29251/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d7dcb891dd51f6514f25d5

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

DNS request

Connection attempt

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Setting a global event handler for the keyboard

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature obfuscated packed packed packer_detected signed vbnet

Link:

https://www.filescan.io/uploads/68d7dcc16c140e5b35fecf61/reports/682f77bd-c829-4b75-9243-86df27358e21/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-24T22:19:00Z UTC

Last seen:

2025-09-24T22:19:00Z UTC

Hits:

~1000

Detections:

Backdoor.MSIL.XWorm.c Trojan.MSIL.Taskun.sb Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic Trojan.MSIL.Crypt.sb

Link:

https://opentip.kaspersky.com/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a60ee65e-f8d0-4228-829e-7f96bde0913b

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1785170

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

AI detected suspicious PE digital signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86

Link:

https://app.malva.re/file/16e06d92b404204bc674a5379bceb823

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2025-09-25 03:57:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aeahj4puvyebdp2g3xkanmfwj4miefcunumahcuzq6aimnzclyaq._file

Verdict:

malicious

Label(s):

unc_loader_037

XWorm

26e7f73744ff89320d8e9c39760db8dc4f4e0865c1e18423d60926b3de522b47

XWorm

649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67

XWorm

6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00

XWorm

error

XWorm

+ 244 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm defense_evasion discovery execution persistence rat spyware trojan

Link:

https://tria.ge/reports/250927-pz878scm3x/

Behaviour

Modifies system certificate store

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8f0c5b6d-1c1e-4b2a-8ecf-ddf89bbd055a

Unpacked files

SH256 hash:

010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01

MD5 hash:

16e06d92b404204bc674a5379bceb823

SHA1 hash:

ca5de747a982e6486d7568906eb93a979832d482

Link:

https://www.unpac.me/results/505efee1-d16a-4711-8862-71299698d96b/

SH256 hash:

8cf57d7f0248a74ab4fea9b4e99555bf9b39ac179dcce6402a8ca8f5f21e8586

MD5 hash:

2de5b0160b4be5a45e61a65713637dea

SHA1 hash:

1feeff594f2eb907e4313fb910bb55c4bd2716fd

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/505efee1-d16a-4711-8862-71299698d96b/

SH256 hash:

cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09

MD5 hash:

07ca79c30cd50df8c68d115eebd52475

SHA1 hash:

a70c058086cd6156059b9947aee5bcd3f75f3336

Link:

https://www.unpac.me/results/505efee1-d16a-4711-8862-71299698d96b/

SH256 hash:

f9f727b8bdcace83a55de5b5cba8e06c97a0bd786f1f3ba6e3088ac65735adea

MD5 hash:

b7647ad12b62f0839fd3d050444006b6

SHA1 hash:

f9717fb21d22e53c7790ba91da06b6bde38c66ca

Link:

https://www.unpac.me/results/505efee1-d16a-4711-8862-71299698d96b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/010074f1f4ae0811bf46ddd406b0b64f188214546d18038a9987808637225e01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_XWorm_b7d6eaa8 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29251/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample