MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158
SHA3-384 hash:	a0ffbdbb03f92c04a75a8e7f33bafc9708354eb75e587f5a67f869d755e0e3afb94ef7030b46988632154af8ff674463
SHA1 hash:	570deb3e3523e5d357f3ceacb2a543a69d5ae61b
MD5 hash:	1858d3717d985e1ba43e3f01d136b403
humanhash:	lemon-arkansas-idaho-spaghetti
File name:	file
Download:	download sample
Signature	XWorm Create hunting rule
File size:	65'536 bytes
First seen:	2025-11-29 17:21:53 UTC
Last seen:	2025-11-29 19:25:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	637df1e8f3c074f2ce79b53c3e34cfcc (1 x AsyncRAT, 1 x XWorm)
ssdeep	768:tKR3I7/LfGZsRdnLZ90PGmqTkHXqScKiQJ5o3Vm:cR3IvfGmRX90+TTu/j+m
Threatray	1'932 similar samples on MalwareBazaar
TLSH	T10E53F816ABF54844E4EE5A700CAE69B4C9B3BD720E14D60F3391362D2E73E93DC66352
TrID	77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-gcleaner exe f TWO.file xworm

Bitsight

url: http://194.38.20.224/service

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GuLoader VisualDownloader

Details

No details

Malware family:

vidar

ID:

File name:

431b871ee44e60ff761b83249532d787cf84f918ae7019a6eebdfffbe7000cbb.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-11-29 17:05:55 UTC

Tags:

auto generic gcleaner loader autoit auto-reg winring0-sys vuln-driver stealer stealc vidar xworm

Link:

https://app.any.run/tasks/b3f6e472-cc9c-4b75-823d-36eff9c56cb4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41850/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.43726713.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692b2bc76657e34332824945

Tags:

xtreme shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Creating a process with a hidden window

Searching for the window

DNS request

Using the Windows Management Instrumentation requests

Running batch commands

Connection attempt

Sending an HTTP GET request

Creating a file

Creating a process from a recently created file

Searching for analyzing tools

Searching for synchronization primitives

Launching a tool to kill processes

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd fingerprint lolbin microsoft_visual_basic packed zero

Link:

https://www.filescan.io/uploads/692b2bc6efb2056353590536/reports/e7dd26ca-bdc9-486d-a87d-93ddde53922c/overview

Verdict:

Malicious

Labled as:

Suspicious:Backdoor.Bifrose.akqw.jrah

Link:

https://www.hybrid-analysis.com/sample/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/61bbf9be-2fff-44c7-ba61-638fcef6ae9e

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86

Link:

https://app.malva.re/file/1858d3717d985e1ba43e3f01d136b403

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d4v657xryx2jhabmm72gulrfk6qm75o3u3drovrxvgfw3nafifma._file

Verdict:

malicious

Label(s):

r77rootkit

XWorm

344570f8e53a13c56f8e74fba7adcfe0bf7fe0829a0b8b678ee762d345053b2d

XWorm

7cf4e952263f348a6cf37fc84468613af0311e6eb87ea7494e07204f149bbf0c

XWorm

88db7224a27c32a9c8e5b12e7be3204d483d2e1dcdd7038ca2d9e553de4a397b

XWorm

984dbd06c3a8ece43142e45d61b2aa3dfae7be270edc66153dc8d521f481d1ef

XWorm

b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd

XWorm

cb0fbc3588dab06d99ad9c9af872613452ecbb6b7c71b00a6bca4bcc64bb8d00

XWorm

error

XWorm

f8626f86d774c3d65f29ae1c31c77eae9101ebc135446989307754498fb15bfa

XWorm

+ 1'922 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm defense_evasion discovery execution persistence rat trojan

Link:

https://tria.ge/reports/251129-vxnfmswqgs/

Behaviour

Modifies data under HKEY_USERS

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Kills process with taskkill

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Launches sc.exe

ConfuserEx .NET packer

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Power Settings

.NET Reactor proctector

Checks BIOS information in registry

Checks computer location settings

Creates new service(s)

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Stops running service(s)

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detect Xworm Payload

UAC bypass

Xworm

Xworm family

Malware Config

C2 Extraction:

88.214.50.198:4444

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4757fad6-d0c7-4820-b834-89f355f9ab5a

Unpacked files

SH256 hash:

1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158

MD5 hash:

1858d3717d985e1ba43e3f01d136b403

SHA1 hash:

570deb3e3523e5d357f3ceacb2a543a69d5ae61b

Link:

https://www.unpac.me/results/11a9425d-1dd1-41d8-bdfa-31490ad735cd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1f2beefef1c5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f2beefef1c5f493802c67f46a2e2557a0cff5dba6c7175637a98b6db4054158

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)