MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs YARA 19 File information Comments

SHA256 hash:	1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
SHA3-384 hash:	267083a48e42224127b34c72dfb0edd6da17eec63e9894449c2e6ed3c5cd655fe2f5cc2475f88824c0bc44ab62ddf68a
SHA1 hash:	c5c166b5ab2088237f33ce3d956f31da0ac19ab2
MD5 hash:	4857f31e3c113f8ccac6a8ac4a5bd3ef
humanhash:	fruit-alpha-music-high
File name:	1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
Download:	download sample
Signature	XWorm Create hunting rule
File size:	588'288 bytes
First seen:	2025-08-12 13:50:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:X+QGeY/3plP+WmHXnbapUJnO0Vp5PYDVIyrzySDH+Oki:XET5lP0rtJO0Vp5PY5IyXySLvk
TLSH	T10CC4F104B78AE412D8EA1A711A32C274037BBD8DA936D31B5BEC3E6F3B737845511B61
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Contract.bz

Verdict:

Malicious activity

Analysis date:

2025-07-17 11:22:29 UTC

Tags:

arch-exec netreactor

Link:

https://app.any.run/tasks/dd41e1bf-5b93-4d8a-b0e6-bc04c56c48c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/20378/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b46fdfca70bd90e8f0176

Tags:

masslogger autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Creating a process with a hidden window

Sending a custom TCP request

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/689b472f2fbe0788fb1e4e80/reports/ad096592-125f-40d8-811b-151a0b99881c/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4516515c-b035-44ff-aa08-571998caa4fa

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

Threat name:

Win32.Trojan.MassLogger

Status:

Malicious

First seen:

2025-07-17 07:22:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dubgyffuqtknesoifoejxkzvep256up4kurojarhtqvq3gnwwvna._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/250812-q6pmva1kv7/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Drops startup file

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

xpwarzonlin2.ddns.net:1012

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7b7af552-1107-4147-97c4-08f6310faa5a

Unpacked files

SH256 hash:

1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

MD5 hash:

4857f31e3c113f8ccac6a8ac4a5bd3ef

SHA1 hash:

c5c166b5ab2088237f33ce3d956f31da0ac19ab2

Link:

https://www.unpac.me/results/9e489bb3-ca96-420f-9252-a0a7472af570/

SH256 hash:

310d2591db538d776ed6249ec5491843a4aa7a8f36f8fadb15d7456a33f6c907

MD5 hash:

0cf78f255297e6e35abab43631b59e0c

SHA1 hash:

1aea51de062edaadff1b5d2ee01151f6d7077984

Detections:

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/9e489bb3-ca96-420f-9252-a0a7472af570/

Parent samples :

3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
f693db1218d19063d65f0617d326d298f67233cdbc4c3d3b9943987a91049508
b9cb68c5ee8eba74c54c45242cd0fddb6191b5488659ffee0adccad2d38d12c1
e980147feb749704db2b218c9bf20b80d8a616fc70d3a75a1b4f1f7c0b03b0d1

SH256 hash:

0ad9330f8096b30a282f53d51dfe44664f3ba3251199d25f097c01f43fe55aec

MD5 hash:

cc621595551035aa96c37e8738bfb040

SHA1 hash:

3507953a4fba3cf6df37347156f060e4e9e09ed7

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/9e489bb3-ca96-420f-9252-a0a7472af570/

Parent samples :

06ede9a79380740bc6717b85c81962911c87ef299c0f9925e44cf66569784154
881666cfb7700551912b6f0b5ed601d61aa0c81576d53f69a43246b573832f8c
c45640db87251995dc06c2ea4ef6ca5c0922df2b54819c84f4ef3477a4cd23c1
371f1cb8f80e05125b0673ba6bcb23237cdfa3c66f2954561ee476b8d6f89e70
6ae17339b8a76cb12268e292ad1bd020e9b02acad06d868472bf00926bb83821
28dd00c9360fc7d7359113ee5599e0d902fdab71305d9f8ac52e97ccdfb1858b
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
b37ff76776a38f2a0ded7ae2220a44c0dfcb92ed88f135bb3f4443ad8b98548a
bae9c509299e16792064c4219babb32f5acaf456a067228c77320ae69c678d31
4c732e0d384f492723ed512743084b8d30e75dc836f9baec38435e7f7298a752
10b473d1b8926572686bf2c6b3bdbc67e18a8dbf066d7f392966bccac917c97a
b72158c1c37f7ef6edfe5511acd3c9f7131ee6093688290b33d250871d7b74fc
034376b7cdb06a63b0232f54fb906b95f37fc7f4921e9c6999c37f4aad9d61ba
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
6d8d665ed1c840de96732ee893e4fce02f684b81491b92291fb99d537cd2b933
71cc18003948de6d70cfef8ecad9a10d842c3c24d07488b7b1c040c39755fd2d
f10f2a163771c5a1a36a9c243b3887caa461b7c6340c069e16735e2ec7d89219
9b77205f51b2a49e9a04f112d14f350e37c0183fe87c0614b597f81c5d57a95d
d2d35b1008ab18a196bf68887081208b475a1a70a74ef2ee8da7fe065cc4ad09
32232a07b736cd0d8e26f355bb8132d736c71bdb01fe2a78e386664cccde6dbd
566ca7ccb9b63e49ff9bbfe0dc46bfc628d8232f7d45097eeb92518203711b5a
a8c09aa5ef25bcd378a81138c1eb67c3e259c3e1e8ab6a25d3f59859d0929937
8f59ab17a29c57035493103d83e22f6f1ee15d33df4164fc69f47918f177cc1e
36a075c198f7bd34a5a7ac2981d644428a32d32efdcb6f5a16ce1b085f0fc08e
d1a0edb84de425f4ab004ef17965b309fce345f682248865b34d9b4932d6f8f6
52f7d9e48e3bd296430db88b98ee848e1d5daec114c1f2afce6d1220a89e2914
a8561c312838771cf9a079cb93b31fe770796853a74b4306fd881e8dd4340479
1f51b1d0df7579263dcf24df5e1c929e697f6d10549086c366f673450b69e079
b11795618dd4c3d57ad342cade637ad1d96006c7d46e803bd9eb3bee29ef2b67
0edf6cb143e229fe20ab001a3807027e15681cf90663407519dacf6f3765c99f
3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
af94dfc71a87808a55b15f45c08c816f8c82eae3727760424c03d5c790613d06
d1811755daa3a02ad817f8b136e4c7b8299f8b17af7e38bdab0059986d510a7f
56a52da62bfba5f29ebc4c1ddff84bf2959c84db06fd685220ed910f18074e7b
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

SH256 hash:

30d031ca3a5475be3584e8543cbc690af838ca0f25382f18d866394abb54e9bc

MD5 hash:

b9fb63c02f351f72400381d6318570a5

SHA1 hash:

f3507ed307c8e962eb837bc48cfaa2c59b58e2a2

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9e489bb3-ca96-420f-9252-a0a7472af570/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d026c14b484/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_xworm_bytestring Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects bytestring present in unobfuscated xworm

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	xworm Create hunting rule
Author:	jeFF0Falltrades

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20378/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample