MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
SHA3-384 hash: 62300005a1d2a99d172aabfbc334cd52c3bd25f40d9ece141d1f97a6c2df3b6dac118316e49d5ce114a4cba464ddfac1
SHA1 hash: 29f4429939e57666b8a57c2d7b95a4801fa7ca20
MD5 hash: dc50baff9f1bab10f1ebc24e0d77afc3
humanhash: oregon-orange-emma-quebec
File name:03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
Download: download sample
Signature XWorm
Create hunting rule
File size:571'904 bytes
First seen:2024-10-15 09:18:13 UTC
Last seen:2024-10-15 10:50:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:mujuIGjAOphSW579i8fB106f91hYC1l+W8GSAZ2nxKdn3wGK570:LRaAODHVrB/lDH8gZhdAY
TLSH T110C4AD143268FA73D45D7ABDC802F65007746E113ED2D5B639787BBE1E32ADB46032A2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 8271f0ccccccd400 (1 x XWorm)
Reporter JAMESWT_WT
Tags:exe rentry-co xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
415
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
Verdict:
Malicious activity
Analysis date:
2024-10-15 09:21:55 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/f29e83b7-ebfa-4ed5-ad6a-b1eff9f0b9b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.87.27751.30094.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670e33891d4ef219fa62c9b7
Tags:
Powershell Autorun Emotet Cobalt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net packed
Link:
https://www.filescan.io/uploads/670e3388aff6965d3f5d4cd9/reports/252cccba-2dee-4aed-b285-e969e93b9491/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
Result
Verdict:
MALICIOUS
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/645ee1c2-4441-4fab-b4fe-82b83a70fe60
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1533949
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533949 Sample: r8k29DBraE.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 54 rentry.co 2->54 56 i.ibb.co 2->56 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 68 12 other signatures 2->68 9 r8k29DBraE.exe 5 2->9         started        signatures3 66 Connects to a pastebin service (likely for C&C) 54->66 process4 file5 44 C:\Users\user\Desktop\wzcsvc.exe, PE32+ 9->44 dropped 46 C:\Users\user\Desktop\wzcsapi.exe, PE32 9->46 dropped 76 Found direct / indirect Syscall (likely to bypass EDR) 9->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->78 13 wzcsvc.exe 1 9->13         started        16 wzcsapi.exe 14 3 9->16         started        19 WerFault.exe 19 16 9->19         started        signatures6 process7 dnsIp8 80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 88 8 other signatures 13->88 22 lsass.exe 13->22 injected 25 svchost.exe 8 13->25         started        27 svchost.exe 13->27 injected 32 26 other processes 13->32 48 i.ibb.co 169.197.85.95, 443, 49767, 49773 PUREVOLTAGE-INCUS United States 16->48 50 rentry.co 104.26.2.16, 443, 49731 CLOUDFLARENETUS United States 16->50 52 2 other IPs or domains 16->52 86 Uses schtasks.exe or at.exe to add and modify task schedules 16->86 30 schtasks.exe 16->30         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->42 dropped file9 signatures10 process11 dnsIp12 70 Creates files in the system32 config directory 22->70 72 Writes to foreign memory regions 22->72 34 svchost.exe 22->34         started        36 svchost.exe 22->36 injected 74 System process connects to network (likely due to code injection or exploit) 25->74 38 WerFault.exe 2 25->38         started        58 i.ibb.co 27->58 40 conhost.exe 30->40         started        signatures13 process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2024-05-23 15:02:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apevs4f3hwivgcvct6iztla3fvyiezzjbhu4diyiat4z5pewio3q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
r77
Create hunting rule
r77_core
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion evasion persistence rat trojan
Link:
https://tria.ge/reports/241015-k96smswema/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Sets service image path in registry
Detect Xworm Payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Verdict:
Malicious
Tags:
red_team_tool
YARA:
HKTL_NET_GUID_UAC_Escaper
Link:
https://app.threat.zone/submission/7ab6bc21-82dd-41ec-ba6d-482083b92645
Unpacked files
SH256 hash:
74d57e2a613a3ff83190ab0d0868303472bda5a553c5c859088f66e6456e4643
MD5 hash:
60a43a859a3d102c8425bf2c90775ac1
SHA1 hash:
047595015c1abf6b812abb5cd971611f30687a0f
Detections:
PureCrypter_Stage1
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
Parent samples :
6b5c2e9a2ef36412b2636236ade5530c59573b51b07fe224fd980911cbb7b976
03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
SH256 hash:
c4f22103540b716de56f468fe2239ab2d04fe127d0acce9dd9421b22f401d983
MD5 hash:
849f6948536bdd144c7e09d94b7ed6b8
SHA1 hash:
984dbbb2cebcfa3cabd1180e8f371ebdfa65088e
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
29a87b8a67604fa8127eb85372925df7dc3b0dc4b92948f04ca5de52914b2021
MD5 hash:
5309dd7db7719a3786641ace17e905bb
SHA1 hash:
8e4998db38e23764a24cf351b8eb7b370b85d749
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
6b5c2e9a2ef36412b2636236ade5530c59573b51b07fe224fd980911cbb7b976
MD5 hash:
64ffe7c0fa6ac22f5acafd3ceb4aca5b
SHA1 hash:
104182708267ee1a6da0e9e83cb04df83edae120
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
d6e0f73d33c845137cad6d2c234e316fed9af32f9fcbadba2be5adb65698ca52
MD5 hash:
9837029c450090a82900276ea1295f4b
SHA1 hash:
0789a6b1a0ecb90a0076d05fd63c0c818edcce32
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d
MD5 hash:
a69c6e092d415063a9fb80f8fe4e3444
SHA1 hash:
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a
Detections:
MALWARE_Win_R77
Create hunting rule
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
527e4fa34f8a879b2f0ffee49033713363f96e8814585a6494a7508b1063f697
MD5 hash:
b0a5f944bcbf2a6f3c78a44bec04e7e0
SHA1 hash:
56e960ae84823b314b07aaa7637dcc2bcc665ae4
Detections:
MALWARE_Win_R77
Create hunting rule
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
SH256 hash:
03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
MD5 hash:
dc50baff9f1bab10f1ebc24e0d77afc3
SHA1 hash:
29f4429939e57666b8a57c2d7b95a4801fa7ca20
Detections:
HKTL_NET_GUID_UAC_Escaper
Create hunting rule
Link:
https://www.unpac.me/results/0ce331e0-d970-4b8c-b44a-2cec8986f5fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03c95970bb3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HKTL_NET_GUID_UAC_Escaper
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/NYAN-x-CAT/UAC-Escaper
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments