MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
SHA3-384 hash: 259eeb83efc2bd2c42ffa1bb5fa6b58a864b8a046c468811e41e3ecc14d3f29a02923403c77f5609fbe1fd3a32ea9fdb
SHA1 hash: 1d55db2dd9e556ff066e297273e402130adf515f
MD5 hash: 86357c1fffbe566da1d9903ab765f921
humanhash: romeo-idaho-tennis-sad
File name:202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:10'214'400 bytes
First seen:2024-10-22 17:35:23 UTC
Last seen:2024-10-22 18:27:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 196608:lW4hA5uDoRign+zgad1nu8Qely82mqwmjYBj5jY+MZ+yBSJ84k:lW4hXciVguRrlPqw4iY+q4/k
TLSH T146A62361E994EA69C2114D7CE502ECF015206F86D14CACAB2CE6FEFFB0716E547BC1A1
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 0f2b332b2b309628 (1 x XWorm)
Reporter Chainskilabs
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CMaker2.0.exe
Verdict:
Malicious activity
Analysis date:
2024-10-13 22:55:19 UTC
Tags:
evasion xworm remote telegram amsi-bypass crypto-regex
Link:
https://app.any.run/tasks/b5061f21-9f3e-4fc0-ad48-3556d5d0e153

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.27198.2506.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670c4fd7707bcd8537fb6d36
Tags:
Powershell Cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Connection attempt to an infection source
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Searching for synchronization primitives
Creating a window
Setting browser functions hooks
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Forced shutdown of a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/6717e289718466003853afe4/reports/dfd78f21-c918-463e-bdd4-3f5031bd0f37/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ef789e1-66cf-4549-94a9-964b8d7ad6e1
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1539526
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Schedule system process
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539526 Sample: aoKTzGQSRP.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 85 subscribe-bond.gl.at.ply.gg 2->85 87 ip-api.com 2->87 89 dashboard.botghost.com 2->89 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 32 other signatures 2->111 10 aoKTzGQSRP.exe 3 2->10         started        13 powershell.exe 2->13         started        16 Deadsvchost.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 75 C:\Users\user\AppData\...\CMaker 2.0.exe, PE32+ 10->75 dropped 77 C:\Users\user\AppData\Local\Temp\1.exe, PE32 10->77 dropped 20 1.exe 5 10->20         started        24 CMaker 2.0.exe 40 10->24         started        129 Writes to foreign memory regions 13->129 131 Modifies the context of a thread in another process (thread injection) 13->131 133 Found suspicious powershell code related to unpacking or dynamic code loading 13->133 135 Injects a PE file into a foreign processes 13->135 26 dllhost.exe 13->26         started        28 conhost.exe 13->28         started        137 Antivirus detection for dropped file 16->137 139 Multi AV Scanner detection for dropped file 16->139 141 Machine Learning detection for dropped file 16->141 30 WerFault.exe 18->30         started        signatures6 process7 file8 61 C:\Users\Public\DeadXClient.exe, PE32 20->61 dropped 63 C:\Users\Public\DeadROOTkit.exe, PE32 20->63 dropped 65 C:\Users\Public\DeadCodeRootKit.exe, PE32 20->65 dropped 113 Antivirus detection for dropped file 20->113 115 Multi AV Scanner detection for dropped file 20->115 117 Machine Learning detection for dropped file 20->117 127 2 other signatures 20->127 32 DeadXClient.exe 1 5 20->32         started        37 DeadROOTkit.exe 14 2 20->37         started        39 DeadCodeRootKit.exe 1 20->39         started        67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 24->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 24->69 dropped 71 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 24->71 dropped 73 17 other files (16 malicious) 24->73 dropped 41 CMaker 2.0.exe 1 24->41         started        43 conhost.exe 24->43         started        119 Injects code into the Windows Explorer (explorer.exe) 26->119 121 Writes to foreign memory regions 26->121 123 Creates a thread in another existing process (thread injection) 26->123 125 Injects a PE file into a foreign processes 26->125 45 winlogon.exe 26->45 injected 47 lsass.exe 26->47 injected 49 svchost.exe 26->49 injected 51 20 other processes 26->51 signatures9 process10 dnsIp11 79 subscribe-bond.gl.at.ply.gg 147.185.221.21, 28600, 49766, 49817 SALSGIVERUS United States 32->79 59 C:\Users\Public\Deadsvchost.exe, PE32 32->59 dropped 91 Antivirus detection for dropped file 32->91 93 Multi AV Scanner detection for dropped file 32->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->95 103 2 other signatures 32->103 53 schtasks.exe 32->53         started        81 ip-api.com 208.95.112.1, 49729, 80 TUT-ASUS United States 37->81 97 Machine Learning detection for dropped file 37->97 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->99 101 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 37->101 55 WerFault.exe 37->55         started        83 dashboard.botghost.com 188.114.97.3, 443, 49713 CLOUDFLARENETUS European Union 41->83 file12 signatures13 process14 process15 57 conhost.exe 53->57         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-10-13 22:55:21 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
29 of 38 (76.32%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eawlcaq2dw432wngilv646a3xl7cqt5ph7q3vdqo2hmjwody3w7q._file
Verdict:
malicious
Label(s):
r77_core
Create hunting rule
r77_installer
Create hunting rule
r77
Create hunting rule
r77_stager
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery evasion execution persistence pyinstaller rat trojan upx
Link:
https://tria.ge/reports/241022-v6kfcawgpb/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Detect Xworm Payload
Modifies security service
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Malware Config
C2 Extraction:
subscribe-bond.gl.at.ply.gg:28600
updates-full.gl.at.ply.gg:60075
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec22e0aa-44e2-4057-8b8f-92dc33956cdd
Unpacked files
SH256 hash:
5e74cadc4c72f68cead0d54855ae4da3ca130314c5baf57d29ffa64ebddbbd4a
MD5 hash:
7a9d6790054767b0af9ad8b5d74dc7a9
SHA1 hash:
c2a8e6fd143626847b5ab66e8859621cc3b4e658
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
SH256 hash:
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f
MD5 hash:
b8479a23c22cf6fc456e197939284069
SHA1 hash:
b2d98cc291f16192a46f363d007e012d45c63300
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
SH256 hash:
56f453a47d9ccf82e18e45d56e97af9b1893680f0c95b9f86bd3ec2ce50338a7
MD5 hash:
23bb4c4b213b1d05baa26755ac55e0a2
SHA1 hash:
7fb8d66042c7d7bc4cf5cba658568304c7cc0c02
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
SH256 hash:
5711b50667b4de000c8031724427ec6cd00b41b760ca1608421dc47b549e2093
MD5 hash:
7dd98fc2976ee270a278e1a9a28eefae
SHA1 hash:
0497ee045226b2d310c7678ed055eeedbc88dc77
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
Parent samples :
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
SH256 hash:
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
MD5 hash:
e1c82191b678cea8f3c996887ddc1232
SHA1 hash:
7946006ca278892817b7a778eea1e04f5b2f948c
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
SH256 hash:
4353e37a3d60dd30beeec61a812a07ba6bfc174a18cdd5a95be98666db2f7cf6
MD5 hash:
f1976ea02bffaef5ac943c2abbb7426c
SHA1 hash:
deeee7d4f336d0ba898b5579720aaf630951a72f
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
Parent samples :
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
SH256 hash:
202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
MD5 hash:
86357c1fffbe566da1d9903ab765f921
SHA1 hash:
1d55db2dd9e556ff066e297273e402130adf515f
Link:
https://www.unpac.me/results/061283a5-0651-45df-97af-3bffd37070a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments