MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
SHA3-384 hash: 3a710211963231c75f6c86526ab290e200a439e8c6d01f158a66c42d15a9efb9ee4f7f448e95d7e302ad4521983479b2
SHA1 hash: f02d75a242e6ba40b07c37a1405cd5f030b50e99
MD5 hash: 90d90471ef22130749d66a6a6317bc80
humanhash: lactose-mississippi-nebraska-oscar
File name:90d90471ef22130749d66a6a6317bc80.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'364'802 bytes
First seen:2025-07-22 08:30:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:FHAGlpT3RHcIKtLLCETJleOkL1jjDTKvIVX:lAixcB10vOvm
Threatray 775 similar samples on MalwareBazaar
TLSH T1E7F53311BAC64873E8A61AB24B3D721259B879504F72CEDF97800B5FEE711D0D731BA2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
193.181.41.17:66

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.181.41.17:66 https://threatfox.abuse.ch/ioc/1559274/

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
90d90471ef22130749d66a6a6317bc80.exe
Verdict:
Malicious activity
Analysis date:
2025-07-22 08:31:01 UTC
Tags:
amadey botnet stealer loader rdp lumma auto-reg arch-exec
Link:
https://app.any.run/tasks/d77a0155-3dcc-4358-b9e4-f7439f97c77f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16252/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687f4c592f623871a5f1b01e
Tags:
obfuscate autorun shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm autoit evasive fingerprint fingerprint installer keylogger microsoft_visual_cc overlay overlay sfx
Link:
https://www.filescan.io/uploads/687f4c6319132d984884bef3/reports/8aad1a57-668b-4cf4-8b9e-5e8faf673919/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf8e7eb2-a810-4fe8-ab2c-8c25de66d4d4
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741880
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates HTML files with .exe extension (expired dropper behavior)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1741880 Sample: wx51hupa7i.exe Startdate: 22/07/2025 Architecture: WINDOWS Score: 100 136 Found malware configuration 2->136 138 Antivirus detection for dropped file 2->138 140 Antivirus / Scanner detection for submitted sample 2->140 142 13 other signatures 2->142 10 wx51hupa7i.exe 6 2->10         started        13 suker.exe 2->13         started        17 LmKePKzj.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 106 C:\ucXApwA\aJ9419ZA.exe, PE32 10->106 dropped 108 C:\ucXApwA\LmKePKzj.exe, PE32 10->108 dropped 21 LmKePKzj.exe 10->21         started        118 176.46.157.50 ESTPAKEE Iran (ISLAMIC Republic Of) 13->118 120 79.172.249.130 SZERVERNET-HU-ASHU Hungary 13->120 122 4 other IPs or domains 13->122 110 C:\Users\user\AppData\Local\...\vRDhILL.exe, PE32+ 13->110 dropped 112 C:\Users\user\AppData\Local\...\kEdo1ik.exe, PE32+ 13->112 dropped 114 C:\Users\user\AppData\Local\...\4i7qmmO.exe, PE32 13->114 dropped 116 17 other malicious files 13->116 dropped 160 Contains functionality to start a terminal service 13->160 162 Binary is likely a compiled AutoIt script file 17->162 24 cmd.exe 17->24         started        26 1I4i9dIa.exe 17->26         started        28 GTItGMY8.exe 17->28         started        30 2 other processes 17->30 164 Changes security center settings (notifications, updates, antivirus, firewall) 19->164 file5 signatures6 process7 signatures8 144 Binary is likely a compiled AutoIt script file 21->144 146 Found API chain indicative of sandbox detection 21->146 32 cmd.exe 1 21->32         started        35 1I4i9dIa.exe 15 21->35         started        38 GTItGMY8.exe 4 21->38         started        48 2 other processes 21->48 148 Suspicious powershell command line found 24->148 40 powershell.exe 24->40         started        42 conhost.exe 24->42         started        44 cmd.exe 26->44         started        150 Contains functionality to start a terminal service 28->150 46 schtasks.exe 30->46         started        50 3 other processes 30->50 process9 file10 124 Suspicious powershell command line found 32->124 126 Uses cmd line tools excessively to alter registry or file data 32->126 128 Bypasses PowerShell execution policy 32->128 134 2 other signatures 32->134 52 aJ9419ZA.exe 3 32->52         started        55 conhost.exe 32->55         started        92 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 35->92 dropped 94 C:\Users\user\AppData\Local\...\cecho.exe, PE32 35->94 dropped 96 C:\Users\user\AppData\Local\...96SudoLG.exe, PE32+ 35->96 dropped 100 2 other malicious files 35->100 dropped 57 cmd.exe 35->57         started        98 C:\Users\user\AppData\Local\...\suker.exe, PE32 38->98 dropped 130 Contains functionality to start a terminal service 38->130 60 suker.exe 38->60         started        132 Loading BitLocker PowerShell Module 40->132 62 Conhost.exe 42->62         started        68 5 other processes 44->68 64 Conhost.exe 46->64         started        66 powershell.exe 37 48->66         started        70 4 other processes 48->70 signatures11 process12 file13 102 C:\ucXApwAbehaviorgraphTItGMY8.exe, PE32 52->102 dropped 104 C:\ucXApwA\1I4i9dIa.exe, PE32 52->104 dropped 152 Uses cmd line tools excessively to alter registry or file data 57->152 72 cmd.exe 57->72         started        74 chcp.com 57->74         started        76 reg.exe 57->76         started        80 17 other processes 57->80 154 Contains functionality to start a terminal service 60->154 156 Creates HTML files with .exe extension (expired dropper behavior) 60->156 158 Loading BitLocker PowerShell Module 66->158 78 Conhost.exe 70->78         started        signatures14 process15 process16 82 tasklist.exe 72->82         started        84 Conhost.exe 72->84         started        86 Conhost.exe 74->86         started        88 Conhost.exe 76->88         started        90 Conhost.exe 80->90         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/90d90471ef22130749d66a6a6317bc80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf/
Verdict:
Malicious
Threat:
Trojan-PSW.Lumma.HTTP
Link:
https://tip.neiki.dev/file/26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
Threat name:
Win32.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 11:04:00 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e32edwoavvoa7zepwtdezdtqez2xikboa2ejhdmzdkg3ie5nco7q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
1bb7f6235f9790256cdd8aeb83a14dd8894af55a38261b4618efb411347babff
XWorm
26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
XWorm
32d253d06116156d4dec683f71874cfc7aba6af065705736ae9ce0fce910bd2a
XWorm
41fcd7bee5377448a167c93035ea0644569b8b15f5a3b39c3cd20a8a858a3393
XWorm
4bad7705e8883dc6eaf2fd2d23375e2c2482638778f311106486feb1b60661b4
XWorm
7282004c0d02019b16529ab753202f521dde539bc58083c3658d459398c6e514
XWorm
8cb4dc684a331c5879421bb33f9934bbd3198dc28af448968eb2e4f61d35cfb4
XWorm
d8cf2f1b3382ab5c8b34032c791ec694a52e13065f1de110971c1a932c5f378a
XWorm
ed8bd59c514a257fd97b34500a3aa6c177878272e468aeea3c8ddfa64f244312
XWorm
error
XWorm
fcbf5165fba5a595db4bb0a4fbdc9b33a56259f03a5c2f78430d544e370d8e78
XWorm
+ 765 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:ateraagent family:lumma family:njrat family:quasar family:stealc family:vidar family:xmrig family:xworm botnet:77d769476df82d449eba7255f0bae84c botnet:9fa1e2 botnet:default botnet:fun botnet:hacked botnet:office04 botnet:tasksystem credential_access defense_evasion discovery execution miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250722-kee2fahm5y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Detects videocard installed
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Modifies system certificate store
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Async RAT payload
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
njRAT/Bladabindi
xmrig
Amadey
Amadey family
AsyncRat
Asyncrat family
AteraAgent
Ateraagent family
Detect Vidar Stealer
Detect Xworm Payload
Detects AteraAgent
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.46.157.50
http://141.98.6.181
https://t.me/iry2am
https://steamcommunity.com/profiles/76561199878419187
https://sworwdcp.top/aote
https://worlejrc.xyz/xaiw
https://permwgp.xyz/xlak
https://corronxu.xyz/xowq
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://seruneqy.live/akiz
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd
https://invertdbdi.top/xjit
66.63.187.164:8596
167.160.161.247:8596
66.63.187.164:8595
mar-vietnamese.gl.at.ply.gg:26588
66.63.187.164:6666
167.160.161.247:6666
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9d9ee958-4470-4041-93a5-e761dfbb805f
Unpacked files
SH256 hash:
26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
MD5 hash:
90d90471ef22130749d66a6a6317bc80
SHA1 hash:
f02d75a242e6ba40b07c37a1405cd5f030b50e99
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
SH256 hash:
4484b17e53cffb4e70c24dc1706dbfba7b2d37814b722e15b4e22d0132f579d9
MD5 hash:
6e86e379ade24622a75e957f3a71ef17
SHA1 hash:
a4446905bee0c654f173b5690c714a7366ac22e5
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
SH256 hash:
82ec0fc5c8cb106949763a4e3a76c89ad51ff25c500fd5aa6fe932a24db43d59
MD5 hash:
8243471406ed3270f110816b8ef0fae3
SHA1 hash:
952d56341670632c8b843f59846b62d367c6aa78
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
SH256 hash:
f3c898e854e808bf563d0db1879aa70234d4d74e21790b6da797386cec7e4ba9
MD5 hash:
19256d3a1c1b7e9a2d9a39e260b78ae1
SHA1 hash:
64c30bebb0f45e7e3f880971ef6d9934833fa436
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
SH256 hash:
62a15ff6b101a5d4653ab93313ed6e0cb42e857b54da9a6c08f8efbc33da5363
MD5 hash:
cc62ac8989611fc92ca22f5a46453c0c
SHA1 hash:
52dd914690dde4bc8d0ac8309ecdd9f5f80284f3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/a1d92a36-c782-4a89-9542-e56d08844cae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16252/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments