MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
SHA3-384 hash: de3212f6a693649992dcc76a08e5e64122245796c72e42862ccfcadc13d75decc72e87b17e544055b518b116b579ad9f
SHA1 hash: 1f2cb906b92a945c7346c7139c7722230005c394
MD5 hash: 864d1a4e41a56c8f2e7e7eec89a47638
humanhash: comet-washington-mexico-oxygen
File name:864d1a4e41a56c8f2e7e7eec89a47638
Download: download sample
Signature XWorm
Create hunting rule
File size:3'723'882 bytes
First seen:2024-06-20 18:04:52 UTC
Last seen:2024-06-20 18:25:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ae9e38912ff6bd742a1b9e5c003576a (10 x DCRat, 7 x RedLineStealer, 4 x AsyncRAT)
ssdeep 98304:nroESehXGx5IkVu1f/ihp+t49Rd3iG2dEsL:s3ehXzgiSvGiv3tEj
TLSH T1B70633027AC557B1D62320318AB49F103879BC247F74C8FF57A4654E9E636C09A36BEB
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
571
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-20 13:36:24 UTC
Tags:
amadey botnet stealer themida loader redline meta metastealer lumma
Link:
https://app.any.run/tasks/637ea523-3326-4caa-9e42-28d36a45100a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.31118.5922.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6674703753600b21d544ccd9win7simulatehigh_evasion
Tags:
Banker Encryption Generic Other Static Stealth Xpack Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Connection attempt
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed packed setupapi sfx shdocvw shell32 xpack
Link:
https://www.filescan.io/uploads/66746f510bf5978c0b10eca5/reports/2b2e3be9-3056-437a-a565-8bf719104f1e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4eb87303-d816-4db2-89a8-7096f235c837
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460318
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Excessive usage of taskkill to terminate processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1460318 Sample: FpbdV1sU4k.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 146 Antivirus detection for URL or domain 2->146 148 Multi AV Scanner detection for submitted file 2->148 150 Machine Learning detection for sample 2->150 152 3 other signatures 2->152 12 FpbdV1sU4k.exe 8 2->12         started        15 winsvc.exe 2->15         started        18 svchost.exe 2->18         started        process3 file4 124 C:\Users\user\AppData\...\da_protected.exe, PE32 12->124 dropped 20 da_protected.exe 4 12->20         started        126 C:\Windows\System32\winnet.exe, PE32+ 15->126 dropped 128 C:\Windows\System32\wincfg.exe, PE32+ 15->128 dropped 170 Drops executables to the windows directory (C:\Windows) and starts them 15->170 172 Excessive usage of taskkill to terminate processes 15->172 174 Adds a directory exclusion to Windows Defender 15->174 25 powershell.exe 15->25         started        27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        31 20 other processes 15->31 signatures5 process6 dnsIp7 138 195.2.71.70 VDSINA-ASRU Russian Federation 20->138 122 C:\Users\user\AppData\Local\Temp\xmghgo.exe, PE32+ 20->122 dropped 154 Antivirus detection for dropped file 20->154 156 Multi AV Scanner detection for dropped file 20->156 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->158 162 6 other signatures 20->162 33 xmghgo.exe 29 20->33         started        160 Loading BitLocker PowerShell Module 25->160 37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        140 178.254.6.85 EVANZOASDE Germany 31->140 142 159.223.194.171 CELANESE-US United States 31->142 144 2 other IPs or domains 31->144 43 conhost.exe 31->43         started        45 powercfg.exe 31->45         started        47 conhost.exe 31->47         started        49 21 other processes 31->49 file8 signatures9 process10 dnsIp11 136 172.67.198.131 CLOUDFLARENETUS United States 33->136 102 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 33->102 dropped 104 C:\Users\user\AppData\Local\...\setup[7].exe, PE32+ 33->104 dropped 106 C:\Users\user\AppData\Local\...\setup[6].exe, PE32+ 33->106 dropped 108 6 other malicious files 33->108 dropped 51 setup.exe 2 33->51         started        54 setup.exe 2 33->54         started        56 setup.exe 33->56         started        58 3 other processes 33->58 file12 process13 file14 110 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 51->110 dropped 60 setup.exe 1 51->60         started        112 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 54->112 dropped 64 setup.exe 54->64         started        114 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 56->114 dropped 66 setup.exe 56->66         started        116 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 58->116 dropped 118 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 58->118 dropped 120 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 58->120 dropped 68 setup.exe 58->68         started        70 setup.exe 58->70         started        72 setup.exe 58->72         started        process15 file16 130 C:\Windows\system32\winsvc.exe (copy), PE32+ 60->130 dropped 132 C:\Windows\system32\.co4DCF.tmp (copy), PE32+ 60->132 dropped 134 C:\Windows\System32\.co4DCF.tmp, PE32+ 60->134 dropped 166 Drops executables to the windows directory (C:\Windows) and starts them 60->166 74 winsvc.exe 16 60->74         started        signatures17 process18 signatures19 164 Adds a directory exclusion to Windows Defender 74->164 77 powershell.exe 7 74->77         started        80 powershell.exe 7 74->80         started        82 powershell.exe 74->82         started        84 powershell.exe 74->84         started        process20 signatures21 168 Uses powercfg.exe to modify the power settings 77->168 86 conhost.exe 77->86         started        88 sc.exe 1 77->88         started        90 conhost.exe 80->90         started        92 sc.exe 80->92         started        94 conhost.exe 82->94         started        96 sc.exe 82->96         started        98 conhost.exe 84->98         started        100 sc.exe 84->100         started        process22
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8/
Threat name:
Win32.Backdoor.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 05:21:28 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drztvv7nj6eye3lhkglkxtb2mez3xd3hy2ovnzp4wya22uq77h4a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240620-wn6fjavbrq/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/787ff93f-5a52-41eb-9a28-855d2ffdfb47
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/8904b230-905f-407b-83a0-9038cf3a9dce/
SH256 hash:
1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
MD5 hash:
864d1a4e41a56c8f2e7e7eec89a47638
SHA1 hash:
1f2cb906b92a945c7346c7139c7722230005c394
Link:
https://www.unpac.me/results/8904b230-905f-407b-83a0-9038cf3a9dce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2898897/
  
URLhaus
https://urlhaus.abuse.ch/url/2898902/
  
URLhaus
https://urlhaus.abuse.ch/url/2898903/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments


Avatar
zbet commented on 2024-06-20 18:04:53 UTC

url : hxxp://77.91.77.82/lend/deep.exe