MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 20

Intelligence 20 IOCs 1 YARA 4 File information Comments

SHA256 hash:	1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32
SHA3-384 hash:	f926ed49a3469f9aabd7599ddb9e439082f71edb7c59a0df533f36dff16c724e305a39fa33c3df70f02a59ca16007a49
SHA1 hash:	8ad3bd3feffdbba514c8eeaae44387e89c78a7da
MD5 hash:	21a2254c1e3da0cd60a1e554327e2a6e
humanhash:	double-lake-autumn-network
File name:	21A2254C1E3DA0CD60A1E554327E2A6E.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	51'200 bytes
First seen:	2025-10-08 18:45:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:YzQAJbyPqTCLFrwiyYCfSZ568RUfGV1WLHlLAvd12W5P9S+yob:2rbyPq0Frwi6SZ568ut7lLALDB9S+7b
Threatray	2'598 similar samples on MalwareBazaar
TLSH	T18433F1204789AD3FF1A687354DE1C3C2171D9A071AA5634EAD8DE2E3874931C39B27F5
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe xworm

abuse_ch

XWorm C2:
192.169.69.26:7000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.169.69.26:7000	https://threatfox.abuse.ch/ioc/1609533/

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

21A2254C1E3DA0CD60A1E554327E2A6E.exe

Verdict:

Malicious activity

Analysis date:

2025-10-08 18:50:10 UTC

Tags:

xworm

Link:

https://app.any.run/tasks/457cdb00-cf78-48f7-a9ae-5f8a2a680e76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/31186/

Detection(s):

Win.Packed.Razy-7334624-0

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e6b1667f305fa2545db326

Tags:

backdoor packed micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Forced shutdown of a system process

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

limecrypter packed packed

Link:

https://www.filescan.io/uploads/68e6b180f377ab2310547c12/reports/85f5eace-718e-4afa-b601-3cbadb90907c/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-05T16:13:00Z UTC

Last seen:

2025-10-05T17:16:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec39a09d-ded6-461e-ba27-5c7d26adaabb

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1791698

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.01 Win 32 Exe x86

Link:

https://app.malva.re/file/21a2254c1e3da0cd60a1e554327e2a6e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2025-10-05 18:51:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 37 (81.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d2qymiqgmbbauhhtmc4umttme5nqnkiggjruj2knfz7w5kzjlmza._file

Verdict:

malicious

Label(s):

xworm

XWorm

8511d75b8567fa242dc95d725a74f744d481c9e3ecacfd0f200debb788a368c5

XWorm

aa40614b8749762597d022b58b0a1e6c958eaae496ab189d90426911b8842253

XWorm

be47b60d0203fbf8aac0aabee21f7aa2e90ca5d17363576c3ee9b1d6efd63f14

XWorm

cc4f4e1466183b11cfda923915e34cfd338cbf87a656d911120ceb784846d334

XWorm

error

XWorm

+ 2'588 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery rat trojan

Link:

https://tria.ge/reports/251008-xesnrawny2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

192.159.99.205:7000
xworm7000.duckdns.org:7000

Verdict:

Malicious

Tags:

Win.Packed.Razy-7334624-0

YARA:

n/a

Link:

https://app.threat.zone/submission/4342c649-30b3-4c5a-ad44-60d3500f00b4

Unpacked files

SH256 hash:

1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32

MD5 hash:

21a2254c1e3da0cd60a1e554327e2a6e

SHA1 hash:

8ad3bd3feffdbba514c8eeaae44387e89c78a7da

Link:

https://www.unpac.me/results/78ba0a63-e878-4d74-9aca-a061f492bc51/

SH256 hash:

e67977011d4d35bcf42fcfe1db141183638d2e34dc1bc65ef0bf4b8a9fa9acb3

MD5 hash:

23cabee383d6e76f37626fd872a6f34f

SHA1 hash:

a93e5d858a54435ba3ca89ec448b991cdc177d80

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/78ba0a63-e878-4d74-9aca-a061f492bc51/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ea186220660/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ea186220660420a1cf360b9464e6c275b06a906326344e94d2e7f6eab295b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_NyanXCat_CSharpLoader Create hunting rule
Author:	ditekSHen
Description:	Detects .NET executables utilizing NyanX-CAT C# Loader

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31186/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample