MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
SHA3-384 hash: 2d4aa3f1678d351cc0c9388f4bd199812d2e7f3746955ee4890c17bc05044b0737819a56f90258bbf7bb307af729d389
SHA1 hash: c2695d7a54e7447e61c735c8a5b005ec4b84b618
MD5 hash: 717a9267f1f4b00c0b8e44e9abca7fc0
humanhash: oven-floor-stream-zulu
File name:717A9267F1F4B00C0B8E44E9ABCA7FC0.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:12'526'080 bytes
First seen:2025-12-07 21:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'814 x AgentTesla, 19'736 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 196608:dzzsBBZe/a8EEt3ldx2ug2RfzbWXCfGX7h+F0W80g71JrrhEgAfjslz9lQatycWx:9mrEaitu6a0KC8r/rhQfqzDQ
Threatray 2'949 similar samples on MalwareBazaar
TLSH T197C633768A8DCF5CF37984BE71726323831F7C7A9621C919F085BA468FD0E570E92186
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
196.251.100.222:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.100.222:4444 https://threatfox.abuse.ch/ioc/1668945/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
BatToExeConverter EvilCoder UnderScored
Details
BatToExeConverter
an RC4 decrypted batch script or command line
EvilCoder
extracted components, their filepaths, and possibly registry installation
NETReactor
decrypted strings
PEPacker
a UPX version number and an unpacked binary
UnderScored
an extracted component decrypted using a custom cipher and zlib, and a string XOR key
UnderScored
a plaintext component from a .NET resource
Link:
https://research.acce.ciphertechsolutions.com/results/39cf2679-8631-475a-add0-afd08912e216/
Malware family:
n/a
ID:
1
File name:
_2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e.exe
Verdict:
Malicious activity
Analysis date:
2025-12-07 21:10:38 UTC
Tags:
auto-startup telegram xworm ims-api generic netreactor
Link:
https://app.any.run/tasks/8e65523d-3fad-453a-b586-c3ab31277f91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42941/
Detection(s):
Win.Packed.Packy-10033570-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6935ed40920336450abc1753
Tags:
infosteal redline autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
DNS request
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Running batch commands
Launching a process
Connection attempt
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Launching a file downloaded from the Internet
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T19:58:00Z UTC
Last seen:
2025-12-06T09:24:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.MSIL.Upatre.gen HEUR:Trojan.BAT.Agent.gen Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Backdoor.MSIL.Agent.sb PDM:Worm.Win32.Generic PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.evh Backdoor.XWorm.HTTP.C&C RemoteAdmin.ConnectWise.HTTP.C&C
Link:
https://opentip.kaspersky.com/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a3a47cb-6209-417b-84c9-71f713da494d
Result
Threat name:
PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1828538
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive USB information (via WMI, WIN32_USBHUB, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Set custom UserAgent and download file via Powershell
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1828538 Sample: AcA2FIqZJg.exe Startdate: 07/12/2025 Architecture: WINDOWS Score: 100 124 myvnc.ddns.net 2->124 126 hestiapanel.xyz 2->126 128 8 other IPs or domains 2->128 146 Suricata IDS alerts for network traffic 2->146 148 Malicious sample detected (through community Yara rule) 2->148 150 Antivirus / Scanner detection for submitted sample 2->150 156 16 other signatures 2->156 11 AcA2FIqZJg.exe 5 2->11         started        15 msedgewebview3.exe 2->15         started        17 msedgewebview3.exe 2->17         started        19 3 other processes 2->19 signatures3 152 Uses dynamic DNS services 124->152 154 Performs DNS queries to domains with low reputation 126->154 process4 file5 116 C:\Users\user\Desktop\thor64.exe, PE32+ 11->116 dropped 118 C:\Users\user\AppData\Roaming\svchost.exe, PE32 11->118 dropped 120 C:\ProgramData\Install.exe, PE32 11->120 dropped 122 C:\Users\user\AppData\...\AcA2FIqZJg.exe.log, CSV 11->122 dropped 198 Bypasses PowerShell execution policy 11->198 200 Adds a directory exclusion to Windows Defender 11->200 202 Drops PE files with benign system names 11->202 21 svchost.exe 19 29 11->21         started        26 Install.exe 11->26         started        28 thor64.exe 11->28         started        34 3 other processes 11->34 204 Multi AV Scanner detection for dropped file 15->204 30 powershell.exe 15->30         started        36 2 other processes 15->36 32 powershell.exe 17->32         started        38 2 other processes 17->38 40 6 other processes 19->40 signatures6 process7 dnsIp8 136 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 21->136 138 hestiapanel.xyz 196.251.100.222, 4444, 49700, 49702 ANGANI-ASKE Seychelles 21->138 112 C:\Users\user\AppData\Local\Temp\dxfmbz.exe, PE32 21->112 dropped 162 System process connects to network (likely due to code injection or exploit) 21->162 164 Multi AV Scanner detection for dropped file 21->164 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->166 176 3 other signatures 21->176 51 5 other processes 21->51 114 C:\Users\user\AppData\Local\Temp\...\C8B4.bat, ASCII 26->114 dropped 42 cmd.exe 26->42         started        168 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->168 170 Tries to evade analysis by execution special instruction (VM detection) 28->170 172 Tries to detect debuggers (CloseHandle check) 28->172 178 3 other signatures 28->178 45 conhost.exe 28->45         started        174 Loading BitLocker PowerShell Module 30->174 47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        55 3 other processes 34->55 57 2 other processes 36->57 59 2 other processes 38->59 61 6 other processes 40->61 file9 signatures10 process11 dnsIp12 180 Suspicious powershell command line found 42->180 182 Uses ping.exe to sleep 42->182 184 Tries to download and execute files (via powershell) 42->184 186 Uses ping.exe to check the status of other devices and networks 42->186 63 PING.EXE 42->63         started        66 powershell.exe 42->66         started        68 conhost.exe 42->68         started        77 4 other processes 42->77 130 ip-api.com 208.95.112.1, 443, 49705, 49706 TUT-ASUS United States 51->130 132 i.ibb.co 207.174.26.219 RCN-ASUS United States 51->132 134 3 other IPs or domains 51->134 110 C:\Users\user\AppData\...\msedgewebview3.exe, PE32 51->110 dropped 188 Multi AV Scanner detection for dropped file 51->188 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->190 192 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 51->192 196 8 other signatures 51->196 70 msedgewebview3.exe 51->70         started        73 powershell.exe 51->73         started        75 powershell.exe 51->75         started        79 17 other processes 51->79 194 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 55->194 file13 signatures14 process15 dnsIp16 140 127.0.0.1 unknown unknown 63->140 142 us.loclx.io 45.55.35.48, 443, 49696, 49697 DIGITALOCEAN-ASNUS United States 66->142 158 Adds a directory exclusion to Windows Defender 70->158 81 powershell.exe 70->81         started        84 powershell.exe 70->84         started        86 powershell.exe 70->86         started        96 2 other processes 70->96 160 Loading BitLocker PowerShell Module 73->160 88 conhost.exe 73->88         started        90 conhost.exe 75->90         started        92 conhost.exe 79->92         started        94 conhost.exe 79->94         started        98 13 other processes 79->98 signatures17 process18 signatures19 144 Loading BitLocker PowerShell Module 81->144 100 conhost.exe 81->100         started        102 conhost.exe 84->102         started        104 conhost.exe 86->104         started        106 conhost.exe 96->106         started        108 conhost.exe 96->108         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86
Link:
https://app.malva.re/file/717a9267f1f4b00c0b8e44e9abca7fc0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
Threat name:
Win32.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 02:28:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emelwrvm5qtbtgo5crk3swdky7v7h5txmmhaijlia4jquyzc4yxa._file
Verdict:
malicious
Label(s):
dotnet_loader_002
Create hunting rule
unc_loader_001
Create hunting rule
unc_loader_078
Create hunting rule
unc_loader_048
Create hunting rule
Similar samples:
0958dd2f5c9bbfea9e2b631c18b40b058d6d3bc275e9bcc46281aead6fd14e01
XWorm
0a6d5b2b997b79970a7823ef06d4777bbff6713479322d191328c37299c10ebf
XWorm
6d2bd2a51f18ce404d17b9c2034b9b88238111721343054c6c42797f1468da30
XWorm
d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
XWorm
e10f6b7765ac7a6935c33fca91ca119e70872d22e5587871a5ec1d3b4a98f239
XWorm
error
XWorm
+ 2'939 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution upx
Link:
https://tria.ge/reports/251207-zz7drafm7x/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://myvnc.ddns.net/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0
YARA:
n/a
Link:
https://app.threat.zone/submission/8f771ebf-89c1-4e7d-a3bc-875ea88f4863
Unpacked files
SH256 hash:
2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
MD5 hash:
717a9267f1f4b00c0b8e44e9abca7fc0
SHA1 hash:
c2695d7a54e7447e61c735c8a5b005ec4b84b618
Link:
https://www.unpac.me/results/b1e53e18-94b5-4f20-a585-5bd54aab464d/
SH256 hash:
ba3d8e9f06652a8d6f06631a6909a5f1383732d92bc546daa02ddf2a4a2d4556
MD5 hash:
1206d58740e60bd9e2b977b1c000965e
SHA1 hash:
97e03db79448be6921e8d9fc1fec69e49a30edd7
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/b1e53e18-94b5-4f20-a585-5bd54aab464d/
SH256 hash:
7a416ad9bf510c53af23b10f1ee3eb349d17523b13f871f18f013d08ee141173
MD5 hash:
0bac39654c48f09660b9d52fe72d7548
SHA1 hash:
6f1fb540a897610ea3861bf8c7b670bfba72d678
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/b1e53e18-94b5-4f20-a585-5bd54aab464d/
Parent samples :
0958dd2f5c9bbfea9e2b631c18b40b058d6d3bc275e9bcc46281aead6fd14e01
2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
661481bcb96c23a0add2db58217ea0e2c162cbd6340365a92eca0cf96996e088
SH256 hash:
68f4a6605b2f67daaf439d0df2d1b5e5a29f6f3f0ba7bfc3080ab06885a965ec
MD5 hash:
a51cf81cf07bc64fd708af67a269a0a7
SHA1 hash:
f031e7e2edad5c00b2388a8dad65751a7e196273
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/b1e53e18-94b5-4f20-a585-5bd54aab464d/
Parent samples :
0958dd2f5c9bbfea9e2b631c18b40b058d6d3bc275e9bcc46281aead6fd14e01
2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e
661481bcb96c23a0add2db58217ea0e2c162cbd6340365a92eca0cf96996e088
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2308bb46acec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2308bb46acec261999dd1455b9586ac7ebf3f677630e04256807130a6322e62e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_THOR_Unsigned_Oct23_1
Create hunting rule
Author:Florian Roth
Description:Detects unsigned version of THOR scanner, which could be a backdoored / modified version of the scanner
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42941/

Comments