MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770
SHA3-384 hash: a911f21aa2f5f81daa4fead31ddc30cd627b47afbc948038dbd5df0b79ffcbec3451316d208297c5f7e23080ebf27631
SHA1 hash: 1c79510a7894f3649947628402e4f556d5535622
MD5 hash: 3b592133b5d45cc62e5880d50bb832f5
humanhash: utah-kitten-alanine-lemon
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:9'777'664 bytes
First seen:2023-05-15 08:20:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 196608:J50rarsyqb8axIE1qntC+J0kFBz0ZBJDKiHlU5xndN13n5QbF7o9:JmarsyqbLUtnJ04BcDKiy3n5CFU9
Threatray 26 similar samples on MalwareBazaar
TLSH T155A62206B1CA69F2C534D375DAB7F5B1B6173EC98D27D3069B06BDB129B1AB1080C88D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 58c8d1d0cecbeeec (18 x AsyncRAT, 9 x XWorm, 6 x QuasarRAT)
Reporter andretavare5
Tags:exe xworm


Avatar
andretavare5
Sample downloaded from http://globalmanysoft.com/wp-content/uploads/2023/05/Output.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-15 08:23:41 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/3e33e115-5e8a-44c3-96f9-3095e34994a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389992/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.25637.3301.12827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Searching for synchronization primitives
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6461eb6f18c2b9a49ad21d08/reports/c46d95e1-8496-42ef-890e-8ee8dc4a2e5d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770
Result
Verdict:
MALICIOUS
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/908b3dfb-4c74-4589-b774-04793d8bbb87
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1233513
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 866498 Sample: file.exe Startdate: 15/05/2023 Architecture: WINDOWS Score: 88 146 iplogger.com 2->146 148 checkdata-1114476139.us-west-2.elb.amazonaws.com 2->148 150 api2.check-data.xyz 2->150 166 Snort IDS alert for network traffic 2->166 168 Malicious sample detected (through community Yara rule) 2->168 170 Antivirus detection for dropped file 2->170 172 15 other signatures 2->172 12 file.exe 3 10 2->12         started        15 powershell.exe 2->15         started        17 powershell.exe 2->17         started        signatures3 process4 file5 136 C:\Users\user\AppData\Roaming\setup.exe, PE32 12->136 dropped 138 C:\Users\user\AppData\Roaming\ldr.exe, PE32 12->138 dropped 140 C:\Users\user\AppData\Roaming\clnsetup.exe, PE32 12->140 dropped 142 2 other malicious files 12->142 dropped 19 ldr.exe 3 12->19         started        23 setup.exe 7 12->23         started        25 clnsetup.exe 2 12->25         started        31 5 other processes 12->31 27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        process6 dnsIp7 124 C:\Users\user\AppData\Local\Temp\setupk.exe, PE32 19->124 dropped 180 Antivirus detection for dropped file 19->180 182 Multi AV Scanner detection for dropped file 19->182 184 Machine Learning detection for dropped file 19->184 34 setupk.exe 19->34         started        126 C:\Users\user\AppData\Local\...\Install.exe, PE32 23->126 dropped 38 Install.exe 4 23->38         started        128 C:\Users\user\AppData\Local\...\clnsetup.tmp, PE32 25->128 dropped 186 Obfuscated command line found 25->186 40 clnsetup.tmp 4 20 25->40         started        162 ip-api.com 208.95.112.1, 49705, 49706, 80 TUT-ASUS United States 31->162 164 192.168.2.1 unknown unknown 31->164 188 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 31->188 43 iexplore.exe 31->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        49 2 other processes 31->49 file8 signatures9 process10 dnsIp11 114 C:\Users\user\AppData\Roaming\Windows.exe, PE32 34->114 dropped 174 Antivirus detection for dropped file 34->174 176 Multi AV Scanner detection for dropped file 34->176 51 Windows.exe 34->51         started        55 svchost.exe 34->55         started        57 cmd.exe 34->57         started        66 3 other processes 34->66 116 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->116 dropped 178 Machine Learning detection for dropped file 38->178 59 Install.exe 38->59         started        158 makemymatch.site 162.0.229.248, 443, 49701, 49702 NAMECHEAP-NETUS Canada 40->158 118 C:\Users\user\AppData\...\installersetup1.exe, PE32 40->118 dropped 120 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 40->120 dropped 122 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->122 dropped 62 installersetup1.exe 40->62         started        64 iexplore.exe 43->64         started        file12 signatures13 process14 dnsIp15 152 ip-api.com 51->152 190 Multi AV Scanner detection for dropped file 51->190 192 Query firmware table information (likely to detect VMs) 55->192 68 iexplore.exe 57->68         started        82 2 other processes 57->82 130 C:\Users\user\AppData\Local\...\blhVQVh.exe, PE32 59->130 dropped 132 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 59->132 dropped 194 Antivirus detection for dropped file 59->194 196 Machine Learning detection for dropped file 59->196 198 Uses schtasks.exe or at.exe to add and modify task schedules 59->198 200 Modifies Group Policy settings 59->200 71 forfiles.exe 59->71         started        73 forfiles.exe 59->73         started        75 schtasks.exe 59->75         started        84 3 other processes 59->84 134 C:\Users\user\AppData\...\installersetup1.tmp, PE32 62->134 dropped 202 Obfuscated command line found 62->202 77 installersetup1.tmp 62->77         started        154 iplogger.com 148.251.234.93, 443, 49699, 49700 HETZNER-ASDE Germany 64->154 80 conhost.exe 66->80         started        86 2 other processes 66->86 file16 signatures17 process18 dnsIp19 156 iplogger.com 68->156 88 iexplore.exe 68->88         started        91 cmd.exe 71->91         started        94 conhost.exe 71->94         started        96 cmd.exe 73->96         started        98 conhost.exe 73->98         started        100 conhost.exe 75->100         started        144 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 77->144 dropped 102 conhost.exe 84->102         started        104 conhost.exe 84->104         started        file20 process21 dnsIp22 160 iplogger.com 88->160 204 Uses cmd line tools excessively to alter registry or file data 91->204 106 reg.exe 91->106         started        108 reg.exe 91->108         started        110 reg.exe 96->110         started        112 reg.exe 96->112         started        signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 08:21:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4qcafd7mp3tchbdr5i4kan65c7bal23hmytnzfbbgl5r3o225ya._file
Verdict:
malicious
Similar samples:
131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2
XWorm
3b40418879968636695bcf99fdf5565346c7dc1ca92622b18dd0d6a7c79e2249
XWorm
539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
XWorm
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341
XWorm
9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
XWorm
a0dbde558656175e2713fc50f6d1a49bf2c5a5150b7100c1c3f2d6ce28db967a
XWorm
a1840b15c1cb1a7da67a23c2f83ec9a6378a91813fe9a95ec5c2304142f236d4
XWorm
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
XWorm
eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
XWorm
+ 16 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/230515-j8zr9shg8y/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Xworm
Malware Config
C2 Extraction:
option-trading.at.ply.gg:19729
Unpacked files
SH256 hash:
4f7fd712be5f04d6ea6274072efabea5f00c20d1c65d0992c36fd30c15e0bf7a
MD5 hash:
d875d0a6eb4b881c2eaee77a5178a4ed
SHA1 hash:
f61686e5698771d943073f749b8b41d8ff472c57
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
SH256 hash:
682b2209fc1f9e9818be75e08073df08a3167aab596df0d201f0a7b4e596e213
MD5 hash:
773e0a76c252b71d5bfb4b219758fca3
SHA1 hash:
f7183ca519ee8ea15cc967b20d8b7461e26240a4
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
SH256 hash:
537b71c0065279e0829a2bf84d3f713f416f22556fe94318800cb23f19149e77
MD5 hash:
cd2d6e43061d03474992b2ba89f0266c
SHA1 hash:
0ed1716d7f801d99bb051e6269429e66e2576006
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
SH256 hash:
e89953928375397e64819b59ebb5ea41e2e09656dfc150fa141821191b9125b5
MD5 hash:
bb30faeccb54902471f897446461e016
SHA1 hash:
b3807f8fe4872390fd064b73a701bacab862818c
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
SH256 hash:
272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770
MD5 hash:
3b592133b5d45cc62e5880d50bb832f5
SHA1 hash:
1c79510a7894f3649947628402e4f556d5535622
Link:
https://www.unpac.me/results/5884c400-57cc-41fd-a629-6b3eafd4652c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/272020147f63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/389992/

Comments