MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4
SHA3-384 hash:	48377a38094a3ea7982dab52ce46bd5f6463a2f601227fd019b39c0ba591a09b87c432350116e509b286e8d4d86a7972
SHA1 hash:	5851a9cac5a28de14c728572685e701d27b2a704
MD5 hash:	ee24e1ebe4184c6b7c2d65738a14bf0f
humanhash:	stream-pennsylvania-nevada-october
File name:	mpclient.dll
Download:	download sample
File size:	2'650'167 bytes
First seen:	2025-11-04 15:25:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	96ea0a05de9bd8786a471a32a5c6040a (2 x XWorm, 1 x AsyncRAT)
ssdeep	24576:w+6RfeJVxthwuHIy24rIXRuriBGA+oPYMRox1WFjfpdJ6clMi81s3Adc+zM8f:w+6RfaxthwuH17rIh0AhFjIc+o8f
Threatray	36 similar samples on MalwareBazaar
TLSH	T178C51A4359DF0DAACDD677B8A1835336B734FD308B295E3EAA48C23119536C4AE1BB50
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mpclient.dll

Verdict:

No threats detected

Analysis date:

2025-11-04 15:28:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8c9d8384-4cd5-4dfd-b5c4-e839dccd07c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35317/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690a1b279942f1282ecbfd6e

Tags:

vmdetect

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-11-04T12:47:00Z UTC

Last seen:

2025-11-04T13:56:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.b Trojan.Win64.DonutInjector.sb Backdoor.Agent.TCP.C&C Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.fee

Link:

https://opentip.kaspersky.com/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/36374a22-48d5-424d-8406-7d7063c87508

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/ee24e1ebe4184c6b7c2d65738a14bf0f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4/

Verdict:

Malicious

Threat:

Trojan.MSIL.XWorm

Link:

https://tip.neiki.dev/file/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-11-04 15:26:57 UTC

File Type:

PE+ (Dll)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=btrihrlvv2hcq7iuhivhoyhsgijx6zqbj6kp7nnf2kus4na2zo2a._file

Verdict:

malicious

Label(s):

donutloader

xworm

37599b38dcbe50dd01c413d2c5aeccc6582d640cf81ad4eb1f5877ed25c40d5d

664e90e815ce56b91d51e107d0bb76b4bc5e4ae3ff57de6ce99635f6357771b5

72ac8cc42df3b7e913a8424004a82c930388c5dd0641a7200840bae2722f467d

74a40d2f809116abb9da9d754950e8ef484c6344087718d6f12ee36dff4db768

bef599d14222a9eccbebe09377f3a1ccc9e4e5367884c93c9af185c0f41bd335

cedcfe85d91b8e4cc835547efd2d7b761b4aad101f306435a925f708fbcf1037

dcdd29b2d64f816751cec2150be92711e46f67bc657dd930630616f658605cbb

error

f8343679b868073000380e233f32b10a04a9b4f3e28e7eb7bf58107566f9043c

+ 26 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251104-st6rpsvjbv/

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f210f1cb-a39a-4877-85cc-b29b94ceaf20

Unpacked files

SH256 hash:

0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4

MD5 hash:

ee24e1ebe4184c6b7c2d65738a14bf0f

SHA1 hash:

5851a9cac5a28de14c728572685e701d27b2a704

Link:

https://www.unpac.me/results/1f969c16-a8b1-4543-a0cd-c60ad0d71cbc/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ce283c575ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample