MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments 1

SHA256 hash:	03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f
SHA3-384 hash:	c997fb866d35d13585cae15b57522b087f26d1f586345f4261e98b40719c671c945ea29b513bf4eab135537b370e3fb3
SHA1 hash:	c4e0fb7bfa88aead8bb84be5682b4334795ed200
MD5 hash:	ade611fe038735ee5a2b5f71f59c9234
humanhash:	whiskey-london-delta-nuts
File name:	ade611fe038735ee5a2b5f71f59c9234
Download:	download sample
Signature	XWorm Create hunting rule
File size:	312'320 bytes
First seen:	2022-12-02 14:18:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:/vEJaQsDKUo4XT9ZTa6L3R45b3AQp+aA5SmX9Cfi714oWXxRsHTl:/cJaRu4bRk3AGqXNCiSXHszl
Threatray	729 similar samples on MalwareBazaar
TLSH	T1A564233A7DCAA5B8C2E7927104759F415F3C32D16DD64B9E9AFCC0325E892CED260C4A
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ade611fe038735ee5a2b5f71f59c9234

Verdict:

No threats detected

Analysis date:

2022-12-02 14:19:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e562e84c-70db-473a-8285-78534c816021

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/341912/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.12035.29836.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638a0956d4d7598ad90438fd/reports/dd4c74da-2ce5-4795-b5e2-a10f41ff78fd/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0a550862-5ac9-454a-b461-88fed2f6a611

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1126546

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-12-02 14:19:06 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=apek4centnpnmtpavqlyf45svhxdd26tlf6qh4ufudbrxhto6jpq._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/221202-rmav1sac8z/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Xworm

Malware Config

C2 Extraction:

max.con-ip.com:4449

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9fc09692-03f7-4a90-b6f7-c151e0cca5fa

Unpacked files

SH256 hash:

03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f

MD5 hash:

ade611fe038735ee5a2b5f71f59c9234

SHA1 hash:

c4e0fb7bfa88aead8bb84be5682b4334795ed200

Link:

https://www.unpac.me/results/c60b8282-04a4-437c-a805-e2b395654a04/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

exe 03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2441773/

Cape

https://www.capesandbox.com/analysis/341912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-12-02 14:18:12 UTC

url : hxxp://77.73.133.113/lego/66dbc40.exe