MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
SHA3-384 hash: 02e477c0508551706c9f3bac5e2522f2973e1f209ac01da3918273ba056aa07c1737540113fb7535d102db7a93fca56e
SHA1 hash: cacc39784dc8524758f142809ba0e1ce10ea23eb
MD5 hash: 4338035331dd83fe145ae50b8287cc9f
humanhash: minnesota-autumn-floor-december
File name:VisualCode.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:588'800 bytes
First seen:2025-05-01 12:25:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b23510932b3d0f63aae2b8be70a1f033 (16 x LummaStealer, 3 x Vidar, 2 x XWorm)
ssdeep 12288:Q6bdumjqGHM1ey+1Hn5zHiJvvhGzzHiJvvhG:Q6bdumjqk3CJwCJ
Threatray 63 similar samples on MalwareBazaar
TLSH T177C4CF09939212DBFE6B82BF0421914179767C22CB684FFBA2E48322DF177C45E68775
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
549
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2025-05-01_26cc5a6cfd8e8ecc433337413c14cddb_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader
Verdict:
Malicious activity
Analysis date:
2025-05-01 11:29:53 UTC
Tags:
amadey botnet stealer loader rdp rhadamanthys vidar telegram stealc lumma ransomware shellcode rat quasar remote xworm njrat bladabindi backdoor lockbit miner
Link:
https://app.any.run/tasks/7026f78c-55aa-4a6e-80d1-4be70809554e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5617/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.2371.23969.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68136a91d5cdbfe0eb67b847
Tags:
injection virus krypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/681368618d43c3a878f8b32f/reports/b4354293-3a4a-48d1-9578-288ee1836666/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8c194dac-3637-42ac-8d9b-6824434a2bd6
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1679109
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disables zone checking for all users
Drops PE files to the startup folder
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1679109 Sample: VisualCode.exe Startdate: 01/05/2025 Architecture: WINDOWS Score: 100 93 itsrevolutionmagnus.xyz 2->93 95 viriatoe.live 2->95 97 9 other IPs or domains 2->97 149 Suricata IDS alerts for network traffic 2->149 151 Found malware configuration 2->151 153 Malicious sample detected (through community Yara rule) 2->153 157 21 other signatures 2->157 11 VisualCode.exe 2->11         started        14 msedge.exe 2->14         started        17 svchost.exe 2->17         started        19 10 other processes 2->19 signatures3 155 Performs DNS queries to domains with low reputation 93->155 process4 dnsIp5 193 Contains functionality to inject code into remote processes 11->193 195 Writes to foreign memory regions 11->195 197 Allocates memory in foreign processes 11->197 199 Injects a PE file into a foreign processes 11->199 21 MSBuild.exe 43 11->21         started        121 192.168.2.7 unknown unknown 14->121 123 239.255.255.250 unknown Reserved 14->123 201 Maps a DLL or memory area into another process 14->201 26 msedge.exe 14->26         started        28 msedge.exe 14->28         started        30 msedge.exe 14->30         started        34 2 other processes 14->34 203 Changes security center settings (notifications, updates, antivirus, firewall) 17->203 32 MpCmdRun.exe 17->32         started        signatures6 process7 dnsIp8 99 t.me 149.154.167.99, 443, 49687 TELEGRAMRU United Kingdom 21->99 101 66.44.4t.com 5.75.209.111, 443, 49688, 49689 HETZNER-ASDE Germany 21->101 107 2 other IPs or domains 21->107 85 C:\Users\user\AppData\Local\...\Shtray[1].exe, PE32 21->85 dropped 87 C:\Users\user\AppData\...\Q_Browser[1].exe, PE32 21->87 dropped 89 C:\Users\user\AppData\...\MM_Slider[1].exe, PE32+ 21->89 dropped 91 11 other malicious files 21->91 dropped 185 Attempt to bypass Chrome Application-Bound Encryption 21->185 187 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->187 189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->189 191 8 other signatures 21->191 36 7qiw4wlx4e.exe 21->36         started        40 sr16890r1d.exe 21->40         started        42 vasr90ri5x.exe 21->42         started        46 5 other processes 21->46 103 13.107.246.69, 443, 49769, 49778 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->103 105 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->105 109 31 other IPs or domains 26->109 44 conhost.exe 32->44         started        file9 signatures10 process11 dnsIp12 77 C:\Users\user\Dllhost.exe, PE32 36->77 dropped 159 Antivirus detection for dropped file 36->159 161 Multi AV Scanner detection for dropped file 36->161 163 Drops PE files to the user root directory 36->163 49 Dllhost.exe 36->49         started        165 Writes to foreign memory regions 40->165 167 Allocates memory in foreign processes 40->167 169 Injects a PE file into a foreign processes 40->169 53 MSBuild.exe 40->53         started        79 C:\Users\user\...\92TFQyCoUKdvLx05.exe, PE32 42->79 dropped 171 Query firmware table information (likely to detect VMs) 42->171 173 Tries to detect sandboxes and other dynamic analysis tools (window names) 42->173 183 3 other signatures 42->183 125 192.168.2.6, 443, 49687, 49688 unknown unknown 46->125 81 C:\Users\user\AppData\Roaming\...dge.exe, PE32 46->81 dropped 83 C:\Users\user\AppData\...83vidiaDriver.exe, PE32 46->83 dropped 175 Creates multiple autostart registry keys 46->175 177 Monitors registry run keys for changes 46->177 179 Uses schtasks.exe or at.exe to add and modify task schedules 46->179 181 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->181 56 NvidiaDriver.exe 46->56         started        58 MSBuild.exe 46->58         started        60 chrome.exe 46->60         started        62 2 other processes 46->62 file13 signatures14 process15 dnsIp16 73 C:\Users\user\AppData\...\Java update.exe, PE32 49->73 dropped 127 System process connects to network (likely due to code injection or exploit) 49->127 129 Multi AV Scanner detection for dropped file 49->129 131 Disables zone checking for all users 49->131 133 Drops PE files to the startup folder 49->133 111 viriatoe.live 104.21.30.146, 443, 49807, 49810 CLOUDFLARENETUS United States 53->111 135 Query firmware table information (likely to detect VMs) 53->135 137 Tries to harvest and steal ftp login credentials 53->137 139 Tries to harvest and steal browser information (history, passwords, etc) 53->139 145 2 other signatures 53->145 113 94.26.90.81, 49812, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 56->113 75 C:\Users\user\AppData\...\InternetDriver.exe, PE32 56->75 dropped 141 Creates multiple autostart registry keys 56->141 64 InternetDriver.exe 56->64         started        143 Adds a directory exclusion to Windows Defender 58->143 66 powershell.exe 58->66         started        115 ogads-pa.clients6.google.com 142.250.68.234, 443, 49718, 49720 GOOGLEUS United States 60->115 117 www.google.com 192.178.49.196, 443, 49702, 49710 GOOGLEUS United States 60->117 119 3 other IPs or domains 60->119 69 conhost.exe 62->69         started        file17 signatures18 process19 signatures20 147 Loading BitLocker PowerShell Module 66->147 71 conhost.exe 66->71         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-01 01:00:38 UTC
File Type:
PE+ (Exe)
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez4quzzmhsbsu2ydmx6qdtebwl4r2yisrenh2mahplncn4lckfzq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1f7a06256c24ce666f9e8f41e85fabd76229c2f8d920ab24b43d480d3bab9a09
XWorm
211820499bca58e45d73b85278c242b8354324fe1190686dc09d0ef254f5ef5a
XWorm
26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
XWorm
748924e97a23601ddd8ea505b5601bbc8c7687528b921a8a6d22b5d4f9f4b41f
XWorm
b1e8b7a65e10bfe2279ce7cff591b1ca905746d61c3cfbab0eae8ac2662199af
XWorm
bdfe731c3bafa9a6e5d54268667e71febbf35ff60ac93c1c216254bb52b66aaf
XWorm
error
XWorm
+ 53 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar family:xworm botnet:158fdd2a4f5abb978509580715e5353f botnet:office04 botnet:user credential_access defense_evasion discovery execution persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250501-pl9a3stvdz/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Themida packer
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
94.26.90.81:7773
https://viriatoe.live/laopx
https://brandihx.run/lowp
https://exitiumt.digital/xane
https://opusculy.top/keaj
https://civitasu.run/werrp
https://scriptao.digital/vpep
https://praetori.live/vepr
https://cdisciplipna.top/eqwu
94.26.90.81:7774
94.26.90.81:7772
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/903087b0-58dc-4254-9d73-d415303ede64
Unpacked files
SH256 hash:
26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
MD5 hash:
4338035331dd83fe145ae50b8287cc9f
SHA1 hash:
cacc39784dc8524758f142809ba0e1ce10ea23eb
Link:
https://www.unpac.me/results/a6b62590-e95d-483c-8e9d-d5d345f45d95/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26790a672c3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3527463/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5617/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments